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Abstract 

It is well-known that many environment-based abstract machines 
can be seen as strategies in lambda calculi with explicit substi- 
tutions (ES). Recently, graphical syntaxes and linear logic led 
to the linear substitution calculus (LSC), a new approach to ES 
that is halfway between big-step calculi and traditional calculi 
with ES. This paper studies the relationship between the LSC 
and environment-based abstract machines. While traditional cal- 
culi with ES simulate abstract machines, the LSC rather distills 
them: some transitions are simulated while others vanish, as they 
map to a notion of structural congruence. The distillation process 
unveils that abstract machines in fact implement weak linear head 
reduction, a notion of evaluation having a central role in the theory 
of linear logic. We show that such a pattern applies uniformly in 
call-by-name, call-by-value, and call-by-need, catching many ma- 
chines in the literature. We start by distilling the KAM, the CEK, 
and the ZINC, and then provide simplified versions of the SECD, 
the lazy KAM, and Sestoft's machine. Along the way we also in- 
troduce some new machines with global environments. Moreover, 
we show that distillation preserves the time complexity of the ex- 
ecutions, i.e. the LSC is a complexity-preserving abstraction of 
abstract machines. 

Categories and Subject Descriptors CR-number [subcategory] : 
third-level 

General Terms terml, term2 

Keywords Abstract machines, explicit substitutions, linear logic. 

1. Introduction 

In the theory of higher-order programming languages, abstract ma- 
chines and explicit substitutions are two tools used to model the 
execution of programs on real machines while omitting many de- 
tails of the actual implementation. Abstract machines can usually 
be seen as evaluation strategies in calculi of explicit substitutions 
(see at least [12, 15, 25, 31]), that can in turn be interpreted as 
small-step cut-elimination strategies in sequent calculi [10]. 

Another tool providing a fine analysis of higher-order evalu- 
ation is linear logic, especially via the new perspectives on cut- 
elimination provided by proof nets, its graphical syntax. Explicit 
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substitutions (ES) have been connected to linear logic by Kesner 
and co-authors in a sequence of works [21, 27, 28], culminating 
in the linear substitution calculus (LSC), a new formalism with 
ES behaviorally isomorphic to proof nets (introduced in [4], de- 
veloped in [1-3, 5, 6], and bearing similarities with calculi by De 
Bruijn [20], Nederpelt [37], and Milner [36]). Since linear logic can 
model all evaluation schemes (call-by-name/value/need) [34], the 
LSC can express them modularly, by minor variations on rewriting 
rules and evaluation contexts. In this paper we revisit the relation- 
ship between environment-based abstract machines and ES. Tradi- 
tionally, ES simulate machines. The LSC, instead, distills them. 

Traditional vs Contextual ES. Traditional calculi with ES (see 
[26] for a survey) implement /3-reduction (\x.t)u t{x^u} 
introducing an annotation (the explicit substitution [x<-w]), 

(Xx.t)u -> B i[a;<-u] 

and percolating it through the term structure, 

(tw)[x^u] ->@ t[i;^it]w[a;<-tt] 
(Xx.t)[y^u] ->a Xx.t[y<-u] 

until they reach variable occurrences on which they finally substi- 
tute or get garbage collected, 

y[x^u] y 

The LSC, instead, is based on a contextual view of evaluation 
and substitution, also known as at a distance. The idea is that one 
can get rid of the rules percolating through the term structure — 
i.e. @ and A — by introducing contexts C (i.e. terms with a hole 
(■)) and generalizing the base cases, obtaining just two rules, linear 
substitution (Is) and garbage collection (gc): 

C(x)[x^u] ->i s C(u) 

t\x<-u\ -s-g c t if x i f v(t) 

Dually, the rule creating substitutions (B) is generalized to act up 
to a context of substitutions [. . .<-. . .] := [a;i<-ii;i] . . . [xk^w^] 
obtaining rule dB (B at a distance): 

(Xx.t) [...<-.. .]« ^ d B t[x<-u] [...<-.. .] 

Logical Perspective on the LSC. From a sequent calculus point 
of view, rules @ and A, corresponding to commutative cut- 
elimination cases, are removed and integrated — via the use of 
contexts — directly in the definition of the principal cases B, var 
and obtaining the contextual rules dB, Is, and gc. This is the 
term analogous of the removal of commutative cases provided by 
proof nets. From a linear logic point of view, can be identi- 
fied with the multiplicative cut-elimination case -> m , while ->i s and 
-> gc correspond to exponential cut-elimination. Actually, garbage 
collection has a special status, as it can always be postponed. We 
will then identify exponential cut-elimination -> e with linear sub- 
stitution ->i a alone. 



The LSC has a simple meta-theory, and is halfway between 
traditional calculi with ES — with whom it shares the small-step 
dynamics — and A-calculus — of which it retains most of the 
simplicity. 

Distilling Abstract Machines. Abstract machines implement the 
traditional approach to ES, by 

1. Weak Evaluation: forbidding reduction under abstraction (no 
rule — *a in (1)), 

2. Evaluation Strategy: looking for redexes according to some 
notion of weak evaluation context E, 

3. Context Representation: using environments e (aka lists of sub- 
stitutions) and stacks n (lists of terms) to keep track of the cur- 
rent evaluation context. 

The LSC distills — i.e. factorizes — abstract machines. The 
idea is that one can represent the strategy of an abstract machine by 
directly plugging the evaluation context in the contextual substitu- 
tion/exponential rule, obtaining: 

E(x)[x<-u] ^ e E(u) 

and factoring out part of the machine that just looks for the next 

redex to reduce. By defining — ° as the closure of 5 e and -»■„ 
by evaluation contexts E, one gets a clean representation of the 
machine strategy. 

The mismatch between the two approaches is in rule that 
contextually — by nature — cannot be captured. In order to get 
out of this cul-de-sac, the very idea of simulation of an abstract 
machine must be refined to that of distillation. 

The crucial observation is that the equivalence = induced by 
— >@ u ^ gc has the same special status of -> gc , i.e. it can be 
postponed without affecting reduction lengths. More abstractly, = 
is a strong bisimulation with respect to — °, i.e. it verifies (note one 
step to one step, and viceversa) 

t o r t or 



u oq u o q 

Now, = can be considered as a structural equivalence on the lan- 
guage. Indeed, the strong bisimulation property states that the trans- 
formation expressed by = is irrelevant with respect to — °, in par- 
ticular =-equivalent terms have -^-evaluations of the same length 
ending in ^-equivalent terms (and this holds even locally). 

Abstract machines then are distilled: the logically relevant part 
of the substitution process is retained by — ° while both the search of 
the redex -»-a and garbage collection are isolated into the equiv- 
alence =. Essentially, — ° captures principal cases of cut-elimination 
while = encapsulate the commutative ones (plus garbage collection, 
corresponding to principal cut-elimination involving weakenings). 

Case Studies. We will analyze along these lines many abstract 
machines. Some are standard (KAM [29], CEK [23], ZINC [32]), 
some are new (MAM, WAM), and of others we provide simpler 
versions (SECD [30], Lazy KAM [15, 19], Sestoft's [39]). The 
previous explanation is a sketch of the distillation of the KAM, but 
the approach applies mutatis mutandis to all the other machines, 
encompassing most realizations of call-by-name, call-by-value, and 
call-by need evaluation. The main contribution of the paper is 
indeed a modular contextual theory of abstract machines. We start 
by distilling some standard cases, and then rationally reconstruct 
and simplify non-trivial machines as the SECD, the lazy KAM, 
and Sestoft's abstract machine for call-by-need (deemed SAM), by 
enlightening their mechanisms as different encoding of evaluation 
contexts, modularly represented in the LSC. 



Call-by-Need. Along the way, we show that the contextual (or at 
a distance) approach of the LSC naturally leads to simple machines 
with just one global environment, as the newly introduced MAM 
(M for Milner). Such a feature is then showed to be a key ingredient 
of call-by-need machines, by using it to introduce a new and simple 
call-by-need machine, the WAM (W for Wadsworth), and then 
showing how to obtain (simplifications of) the Lazy KAM and the 
SAM by simple tweaks. 

Distillation is Complexity-Preserving. It is natural to wonder 
what is lost in the distillation process. What is the asymptotic 
impact of distilling machine executions into — o? Does it affect in 
any way the complexity of evaluation? We will show that nothing 
is lost, as machine executions are only linearly longer than — °. 
More precisely, they are bilinear, i.e. they are linear in 1) the 
length of — o, and in 2) the size \t\ of the starting term t. In other 
words, the search of redexes and garbage collection can be safely 
ignored in quantitative (time) analyses, i.e. the LSC and — ° provide 
a complexity-preserving abstraction of abstract machines. While in 
call-by-name and call-by-value such an analysis follows from an 
easy local property of machine executions, the call-by-need case is 
subtler, as such a local property does not hold and bilinearity can 
be established only via a global analysis. 

Linear Logic and Weak Linear Head Reduction. Beyond the 
contextual view, our work also unveils a deep connection between 
abstract machines and linear logic. The strategies modularly en- 
coding the various machines (generically noted — ° and paramet- 
ric in a fixed notion of evaluation contexts) are in fact call-by- 
name/value/need versions of weak linear head reduction (WLHR), 
a fundamental notion in the theory of linear logic [2, 14, 17, 22, 35]. 
This insight — due to Danos and Regnier for the KAM [16] — is 
not ours, but we develop it in a simpler and tighter way, modularly 
lifting it to many other abstract machines. 

Call-by-Name. The call-by-name case (catching the KAM and 
the new MAM) is in fact special, as our distillation theorem has 
three immediate corollaries, following from results about WLHR 
in the literature: 

1. lnvariance: it implies that the length of a KAM/MAM execu- 
tion is an an invariant time cost model (i.e. polynomially related 
to, say, Turing machines, in both directions), given that in [3] 
the same is shown for WLHR. 

2. Evaluation as Communication: we implicitly establish a link 
between the KAM/MAM and the 7r-calculus, given that the 
evaluation of a term via WLHR is isomorphic to evaluation via 
Milner's encoding in the 7r-calculus [2]. 

3. Plotkin's Approach: our study complements the recent [6], 
where it is shown that WLHR is a standard strategy of the LSC. 
The two works together provide the lifting to explicit substi- 
tutions of Plotkin's approach of relating a machine (the SECD 
machine in that case, the KAM/MAM in ours) and a calculus 
(the call-by-value A-calculus and the LSC, respectively) via a 
standardization theorem and a standard strategy [38]. 

Related Work. Beyond the already cited works, Danvy and coau- 
thors have studied abstract machines in a number of works and 
ways (see at least [7, 8, 1 1, 12, 19]). What here we call commutative 
transitions essentially corresponds to what Danvy and Nielsen call 
decompose phase in [18]. The call-by-need calculus we use — that 
is a contextual re-formulation of Maraist, Odersky, and Wadler's 
calculus [33] — is a novelty of this paper. It is simpler than both Ar- 
iola and Felleisen's [9] and Maraist, Odersky, and Wadler's calculi 
because it does not need any re-association axioms. Morally, it is a 
version with let-bindings (avatars of ES) of Chang and Felleisen's 
calculus [13]. A similar calculus is used by Danvy and Zerny in 



[19], where, similarly to us, they explore various call-by-need ma- 
chines in relation to various calculi. The differences are that 1) they 
focus on the contrast between store-based and storeless machines, 
2) they do not stress the value of contexts as we do here, 3) they do 
not connect their study to linear logic. Another call-by-need ma- 
chine, with whom we do not deal with, appears in [24]. 

2. Preliminaries on the Linear Substitution 
Calculus 

Terms and Contexts. The language of the weak linear substitution 
calculus (WLSC) is generated by the following grammar: 

t,u,w,r,q,p ::= x \ v \ tu | £[a:<-u] v ::= Xx.t 

The constructor i[a;<-u] is called an explicit substitution (of u for 
x in t). The usual (implicit) substitution is instead denoted by 
t{x<-u}. Both Xx.t and t[x^u] bind x in t, with the usual notion 
of a-equivalence. Values, noted v, do not include variables: this is 
a standard choice in the study of abstract machines. 

Contexts are terms with one occurrence of the hole (•), an 
additional constant. We will use many different contexts. The most 
general ones will be weak contexts W (i.e. not under abstractions), 
which are defined by: 

W, W ::= (•) | Wu | tW | W[x<-u] | t[x<-W] 

The plugging W(t) (resp. W(W')) of a term t (resp. context 
W) in a context W is denned as (t) := t (resp. (W) := W), 
(Wt)(W) := W(W')t (resp. (Wu)(W) := W{W')u), and so 
on. The set of free variables of a term t (or context W) is denoted 
by f v(t) (resp. f v(W)). Plugging in a context may capture free 
variables (replacing holes on the left of substitutions). These no- 
tions will be silently extended to all the contexts used in the paper. 

Rewriting Rules. On the above terms, one may define several 
variants of the LSC by considering two elementary rewriting rules, 
distance-^ (dB) and linear substitution (Is), each one coming in 
two variants, call-by-name and call-by-value (the latter variants 
being abbreviated by dBv and lsv), and pairing them in different 
ways and with respect to different evaluation contexts. 

The rewriting rules rely in multiple ways on contexts. We start 
by defining substitution contexts, generated by 

L ::= (•) | L[x<r-t\. 

A term of the form L(v) is an answer. Given a family of contexts 
C, the two variants of the elementary rewriting rules, also called 
root rules, are defined as follows: 

L{\x.t)u i-^dB L(t[x^u]) 

L{Xx.t)L'{v) i *dBv L{t[x*-L'\v)]) 

C(x)[x<^u] i-^is C(u)[x<^u] 

C{x)[x<-L{v)] ^isv L{C(v)[x<-v]) 

In the linear substitution rules, we assume that x e fv(C(x}), 
i.e., the context C does not capture the variable x, and we also 
silently work modulo a-equivalence to avoid variable capture in 

the rewriting rules. Moreover, we use the notations >->-i B and i-^i sv 
to specify the family of contexts used by the rules, with C being 
the meta-variable ranging over such contexts. 

All of the above rules are at a distance (or contextual) because 
their definition involves contexts. Distance-/? and linear substitu- 
tion correspond, respectively, to the so-called multiplicative and 
exponential rules for cut-elimination in proof nets. The presence 
of contexts is how locality on proof nets is reflected on terms. 

A linear substitution calculus is defined by a choice of root 
rules, i.e., one of dB/dBv and one of ls/lsv, and a family of eval- 
uation contexts. The chosen distance-/? (resp. linear substitution) 
root rule is generically denoted by H* m (resp. i-> e ). If E ranges over 



a fixed notion of evaluation context, the context-closures of the 
root rules are denoted by -^> m : = E(^ m ) and -^> e : = E(^ e ), where 
m (resp. e) stays for multiplicative (exponential). The rewriting re- 
lation defining the calculus is then — «:=— o m u — « e . 

Calculi. We consider four calculi, noted Name, Value LR , 
Value RL , and Need, and defined in the left half of Tab. 1. They 
correspond to four standard evaluation strategies for functional lan- 
guages. We are actually slightly abusing the terminology, because 
— as we will show — they are deterministic calculi and thus should 
be considered as strategies. Our abuse is motivated by the fact that 
they are not strategies in the same calculus. 

The evaluation contexts for Name are called weak head contexts 
and implement a strategy known as weak linear head reduction. 
The original presentation of this strategy does not use explicit 
substitutions [16, 35]. The presentation in use here has already 
appeared in [2, 6] (see also [1, 3]) as the weak head strategy of the 
linear substitution calculus (which is obtained by considering all 
contexts as evaluation contexts), and it avoids many technicalities 
of the original one. In particular, its relationship with the KAM is 
extremely natural, as we will show. 

For call-by-value calculi, left-to-right (Value LR ) and right-to- 
left (Value RL ) refer to the evaluation order of applications, i.e. they 
correspond to function body first and argument first, respectively. 
The two calculi we consider here can be seen as strategies of a 
small-step variant of the value substitution calculus, the (big-step) 
call-by- value calculus at a distance introduced and studied in [5]. 

The call-by-need calculus Need is a novelty of this paper, and 
can be seen either as a version at a distance of the calculi of [9, 33] 
or as a version with explicit substitution of the one in [13]. It 
fully exploits the fact that the two variants of the root rules may 
be combined: the /3-rule is call-by-name, which reflects the fact 
that, operationally, the strategy is by name, but substitution is call- 
by-value, which forces arguments to be evaluated before being 
substituted, reflecting the by need content of the strategy. Note that 
its evaluation contexts extends the weak head contexts for call-by- 
name with a clause (N' (x)[x<-N]) turning them into hereditarily 
weak head contexts. This new clause is how sharing is implemented 
by the reduction strategy. The general (non-deterministic) calculus 
is obtained by closing the root rules by all contexts, but its study 
is omitted. What we deal with here can be thought as its standard 
strategy (stopping on a sort of weak head normal form). 

As mentioned above, an essential property of all these four 
calculi is that they are deterministic, because they implement a 
reduction strategy. 

Proposition 2.1 (Determinism). The reduction relations of the four 
calculi of Tab. 1 are deterministic: in each calculus, if E\ , E2 are 
evaluation contexts and if r\,r 2 are redexes (i.e., terms matching 
the left hand side of the root rules defining the calculus), Ei(n) = 
E 2 (r 2 ) implies E\ = E 2 and r\ = r 2 , so that there is at most one 
way to reduce a term. 



Proof. See Sect. A in the appendix (page 13). 



□ 



Structural equivalence. Another common feature of the four 
calculi is that they come with a notion of structural equivalence, 
denoted by =. Consider Fig. 1. For call-by-name and call-by- value 
calculi, = is defined as the smallest equivalence relation containing 
the closure by weak contexts of = a u = gc u =du P u =® u = CO m 
u =[.] where = a is a-equivalence. Call-by-need evaluates inside 
some substitutions (but not any substitution) and thus axioms as 
=du P and =(Q are too strong. Therefore, the structural equivalence 
for call-by-need is the one generated by =@i u = CO m u =n. 

Structural equivalence represents the fact that certain manipula- 
tions on explicit substitutions are computationally irrelevant, in the 



Calculus 


Evaluation contexts 




>->-e 




°e 


Name 
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H ::= (•) | Ht | H[x<-t] 

V"=(-)\Vt\L{v)V\V[x<-t] 

S::={-)\SL{v)\tS\S[x<-i] 

N ::= (•) | Nt | N[x<-t] | N'{x)[x<-N] 
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Table 1. The four linear substitution calculi. 



t[x<-u] = gc 
t[x*-u][y*-w] =cc 
t[x^u][y^w] =[.] 



t ifa;£fv(i) 
if y i f v(w) 
t[a;<-M[y<-w]] ify^fv(t) 



(iw)[a:<-u] 
(iw)[a:<-w] 



-dup 



t [«<-«] w [#<-«] 
£[a:<-ii]w 



if x ^ f v(w) 



Figure 1. Axioms for structural equivalences. In =du P , t[ y ] x denotes a term obtained from t by renaming some (possibly none) occurrences 
of x as y. 



sense that they yield behaviorally equivalent terms. Technically, it 
is a strong bisimulation: 

Proposition 2.2 (= is a Strong Bisimulation). Let — o m , -^> e and = 

be the reduction relations and the structural equivalence relation 
of any of the calculi of Tab. 1, and let x 6 {m, e}. Then, t = u and 
t -^> x t' implies that there exists u such that u -^> x u and t' = u . 



Proof. See Sect. B of the appendix (page 14). 



□ 



The essential property of strong bisimulations is that they can 
be postponed. In fact, it is immediate to prove the following, which 
holds for all four calculi: 

Lemma 2.3 (= Postponement). If t (^> m u -^> e u =)* u then 
t (-», u -^>e)* = u and the number of — ° m and -^> e steps in the 
two reduction sequences is exactly the same. 

In the simulation theorems for machines with a global environ- 
ment (see Sect. 7.1 and Sect. 8) we will also use the following com- 
mutation property between substitutions and evaluation contexts 
via the structural equivalence of every evaluation scheme, proved 
by an easy induction on the actual definition of evaluation contexts. 

Lemma 2.4 (ES Commute with Evaluation Contexts via =). For 
every evaluation scheme let C denote an evaluation context s.t. 
x i f v(C) and = be its structural equivalence. Then C(t) [cc<-m] = 
C{t[x<-u]). 

3. Preliminaries on Abstract Machines. 

Codes. All the abstract machines we will consider execute pure 
A-terms. In our syntax, these are nothing but terms without ex- 
plicit substitutions. Moreover, while for calculi we work implic- 
itly modulo a, for machines we will not consider terms up to a, as 
the handling of a-equivalence characterizes different approaches to 
abstract machines. To stress these facts, we use the metavariables 
t, u, w, f for pure A-terms (not up to a) and v for pure values. 

States. A machine state s will have various components, of 
which the first will always be the code, i.e. a pure A-term t. The 
others (environment, stack, dump) are all considered as lists, whose 
constructors are the empty list e and the concatenation operator ::. A 
state s of a machine is initial if its code t is closed (i.e., f v(i) = 0) 
and all other components are empty. An execution p is a sequence 
of transitions of the machine so ^* s from an initial state so. In 
that case, we say that s is a reachable state, and if t is the code of 
so then t is the initial code of s. 

Invariants. For every machine our study will rely on a lemma 
about some dynamic invariants, i.e. some properties of the reach- 



able states that are stable by executions. The lemma is always 
proved by a straightforward induction on the length of the execu- 
tion and the proof is omitted. 

Environments and Closures. There will be two types of ma- 
chines, those with many local environments and those with just one 
global environment. Machines with local environments are based 
on the mutually recursive definition of closure (ranged over by c) 
and environment (e): 

c ::= (t, e) e ::= e | [cc<-c] :: e 

Global environments are defined by E ::= e \ [x<-i] :: E, and global 
environment machines will have just one global closure (t, E). 

Well-Named and Closed Closures. The explicit treatment of a- 
equivalence, is based on particular representants of a-classes de- 
fined via the notion of support. The support A of codes, environ- 
ments, and closures is defined by: 

• A(t) is the multiset of its bound names (e.g. 
A(Xx.\y.\x.(zx)) 

= [x,x,y]). 

' A(e) is the multiset of names captured by e (for exam- 
ple A([a;^ci][2/<-C2][a;<-C3]) = [x,x,y]), and similarly for 

Mi:)- 

• A(i, e) := A(F) + A(e) and A(t, E) := A(t) + A(E). 

A code/environment/closure is well-named if its support is a set 
(i.e. a multiset with no repetitions). Moreover, a closure (i, e) (resp. 
(t, E)) is closed if f v(t) £ A(e) (resp. f v(t) £ A(E)). 

4. Distilleries 

This section presents an abstract, high-level view of the relationship 
between abstract machines and linear substitution calculi, via the 
notion of distillery. 



Definition 4.1 

1 



A distillery D = (M, C, =, j_) is given by: 



An abstract machine M, given by 

(a) a deterministic labeled transition system ->■ on states s; 

(b) a distinguished class of states called initials (in bijection 
with closed X-terms, and from which applying ->■ one ob- 
tains the reachable states); 

(c) a partition of its labels as: 

' several commutative transitions, collectively noted -^ c ; 
' two principal transitions, denoted by and (for 
multiplicative and exponential); 



2. a linear substitution calculus C given by a pair (^> m ,^>e) of 
rewriting relations on terms with ES; 

3. a structural equivalence = on terms s.t. it is a strong bisimula- 
tion with respect to -^> m and -^> e ; 

4. a distillation j_, i.e. a decoding function from states to terms, s.t. 
on reachable states: 

• Commutative: s -* c s' implies s = s_. 

• Multiplicative: s -* m s' implies s ^> m = s^; 

• Exponential: s -* e s' implies s -^> e = sj 

Given a distillery, the simulation theorem holds abstractly. Let 
\p\ (resp. |d|), \p\ m (resp. \d\ m ), \p\ e (resp. \d\ e ), and \p\ p denote the 
number of unspecified, multiplicative, exponential, and principal 
steps in an execution (resp. derivation). 

Theorem 4.2 (Simulation). Let D be a distillery. Then for every 
execution p : s -*■* s' there is a derivation d : s -^>*= / s.t. 
\p\m = \d\m, \p\e = \d\ e , and \p\ p = 

Proof. By induction on \p\ and by the properties of the decoding, 
it follows that there is a derivation e : s( —»=)*/ s.t. the number 
\p\ p = \e\. The witness d for the statement is obtained by applying 
the postponement of strong bisimulations (Lemma 2.3) to e. □ 

Reflection. Given a distillery, one would also expect that reduc- 
tion in the calculus is reflected in the machine. This result in fact 
requires two additional abstract properties. 

Definition 4.3 (Reflective Distillery). A distillery is reflective 

when: 

Termination: ->- c terminates (on reachable states); hence, by de- 
terminism, every state s has a unique commutative normal form 
nf c (s); 

Progress: ifs is reachable, nf c (s) = s ands —° x t with x e {m, e}, 
then there exists s' such that s s', i.e., s is not final. 

Then, we may prove the following reflection of steps in full 
generality: 

Proposition 4.4 (Reflection). Let Vibe a reflective distillery, s be a 
reachable state, and x e {m, e}. Then, s -^> x u implies that there 
exists a state s s.t. nf c (s) ->- x s' and s_ = u. 

In other words, every rewriting step on the calculus can be also 
performed on the machine, up to commutative transitions. 

Proof. The proof is by induction on the number n of transitions 
leading from s to nf c (s). 

• Base case n = 0: by the progress property, we have s ->v s' 
for some state s' and x' e {m, e}. By Theorem 4.2, we have 
s — <v u = s_ and we may conclude because x' = x and u = u 
by determinisim of the calculus (Proposition 2.1). 

• Inductive case n > 0: by hypothesis, we have s -* c si. By The- 
orem 4.2, s = si. The hypothesis and the strong bisimulation 
property (Proposition 2.2) then give us si -»j in = u. But the 
induction hypothesis holds for si, giving us a state s' such that 
nf c (si) s' and / = m = u. We may now conclude because 
nf c (s) = nf c (si). □ 

The reflection can then be extended to a reverse simulation. 

Corollary 4.5 (Reverse Simulation). Let D be a reflective distillery 
and s an initial state. Given a derivation d : s -^>* t there is an 
execution p : s ->■* s' s.t. t = s_ and \p\ m = \d\ m , \p\ e = \d\ e , and 
Hp = 14 

Proof. By induction on the length of d, using Proposition 4.4. □ 



In the following sections we shall introduce abstract machines 
and distillations for which we will prove that they form reflective 
distilleries with respect to the calculi of Sect. 2. For each machine 
we will prove 1) that the decoding is in fact a distillation, and 2) the 
progress property. We will instead assume the termination property, 
whose proof is delayed to the quantitative study of the second part 
of the paper, where we will actually prove stronger results, giving 
explicit bounds. 

5. Call-by-Name: the KAM 

The Krivine Abstract Machine (KAM) is the simplest machine 
studied in the paper. A KAM state (s) is made out of a closure 
and of a stack (n): 

TT ::= 6 \ C :: TT S ::= (C, 7r) 

For readability, we will use the notation t \ e | 7T for a state (c, it) 
where c = (t, e). The transitions of the KAM then are: 



tu 


e 


7T 


~ > c 


t 


e 


(u, e) :: tt 


Xx.t 


e 


c :: 7T 




i 


[x<-c] :: e 


TT 


X 


e 


TT 




t 


e' 


TT 



where takes place only if e = e" :: [x*-(t, e')] :: e" . 

A key point of our study is that environments and stacks rather 
immediately become contexts of the LSC, through the following 
decoding: 

e := (•>_ [ x ^c] :: e ■■= e((-)[x<-c]) 

(t,e) := eft) c::tt := 7r(('}c} 

t | e | tt := Tr(e(t)) 

The decoding satisfies the following static properties, shown by 
easy inductions on the definition. 

Lemma 5.1 (Contextual Decoding), e is a substitution context, and 
both tt and %(§_) are evaluation contexts. 

Next, we need the dynamic invariants of the machine. 

Lemma 5.2 (KAM Invariants). Let s = u \ e \ tt be a KAM 

reachable state whose initial code t is well-named. Then: 

1. Closure: every closure in s is closed; 

2. Subterm: any code in s is a literal subterm oft. 

3. Name: any closure in s is well-named. 

4. Environment Size: the length of any environment in s is bound 
by 

Abstract Considerations on Concrete Implementations. The 
name invariant is the abstract property that allows to avoid a- 
equivalence in KAM executions. In addition, forbidding repetitions 
in the support of an environment, it allows to bound the length of 
any environment with the names in t, i.e. with This fact is im- 
portant, as the static bound on the size of environments guarantees 
that ^ e and — the transitions looking-up and copying environ- 
ments — can be implemented (independently of the chosen con- 
crete representation of terms) in at worst linear time in \t\, so that 
an execution p can be implemented in 0(\p\ ■ \t\). The same will 
hold for every machine with local environments. 

The previous considerations are based on the name and environ- 
ment size invariants. The closure invariant is used in the progress 
part of the next theorem, and the subterm invariant is used in the 
quantitative analysis in Sect. 10 (Theorem 10.3), subsuming the 
termination condition of reflective distilleries. 



Theorem 5.3 (KAM Distillation). (KAM, Name, =, j_) is a reflec- 
tive distillery. In particular, on a reachable state s we have: 

1. Commutative: if s -* c s' then s = s\ 

2. Multiplicative: if s -+ m s' then s —o m s_; 

3. Exponential: if s -* e s' then s — ° e = sfj 

Proof. Properties of the decoding: 

1. Commutative. We have t u | e | tt -* c t \ e \ (u, e) :: tt, and: 

t u | e | tt = E.(z(tu)} 

=e ZL(e(*)e(«)) = t | e | (u,e) :: tt 

2. Multiplicative. Xx.t \ e \ c :: tt -* m t | [x-s-c] ■■ e\ir, and 

Xx.t | e | c :: tt = 7r(e(AiE.i)c) 
-°m ?r(e(t[a;<-c])) 
= t | [s<-c] ::e\n 

The rewriting step can be applied because by contextual decod- 
ing (Lemma 5.1) it takes place in an evaluation context. 

3. Exponential, x \ e ■■ [x<-(t, e)] :: e" \ tt -* e i | e | tt, and 

x\e' :: [x^(t, e)] :: e" \ tt = n(e^(l(x)[x^e(t}])) 

=* 3 c n(e(t)) 
= t\e\ir 

Note that e" (e' {e(t))[x<-e(i)]) =* gc e(i) holds because e(i) is 
closed by point 1 of Lemma 5.2, and so all the substitutions 
around it can be garbage collected. 

Termination. Given by (forthcoming) Theorem 10.3 (future proofs 
of distillery theorems will omit termination). 
Progress. Let s = t \ e \ tt be a commutative normal form s.t. 
s u. If t is 

• an application uw. Then a transition applies and s is not a 
commutative normal form, absurd. 

• an abstraction Xx.u: if tt = e then s = e{Xx.u), which is 
normal, absurd. Hence, a transition applies. 

• a variable x: by point 1 of Lemma 5.2.1, we must have e = e :: 
[x<-c] :: e", so a ^ e transition applies; □ 

6. Call-by- Value: the CEK and the LAM 

Here we deal with two variants in call-by-value of the KAM, 
namely Felleisen and Friedman's CEK machine [23] (without con- 
trol operators) and a machine abstracting Leroy's ZINC machine 
[32], deemed Leroy abstract machine (LAM). They differ on how 
they behave with respect to applications: the CEK implements left- 
to-right call-by- value, i.e. it first evaluates the function part, the 
LAM gives instead precedence to arguments, realizing right-to-left 
call-by-value. 

The states of the two machines have the same shape of those 
of the KAM, i.e. they are given by a closure plus a stack. The 
difference is that they use call-by-value stacks, whose elements are 
labelled either as functions or arguments, so that the machine may 
know whether it is launching the evaluation of an argument or it is 
at the end of such an evaluation. They are re-defined and decoded 
by (c is a closure): 

tt ::= e | f(c) :: tt \ a(c) :: tt e := (•) 

M ■■■■ * ■■= K(c(-)) 

a(c) :: tt := 7r((-)c) 



The states of both machines are decoded exactly as for the KAM, 
i.e. t | e | tt := TT_(e(t)}. 

6.1 Left-to Right Call-by- Value: the CEK machine. 

The transitions of the CEK are: 

tu e tt -> C1 t e a(u, e) :: tt 

v e a(w, e')"7T -^ C2 u e f(v,e)"TT 

V e f (Xx.t, e) :: tt t [x<^(v, e)] " e tt 

x e tt i e TT 

where takes place only if e = e" :: \x^(t, e')] :: e" . 

While one can still statically prove that environments decode 
to substitution contexts, to prove that 7r and 7r(e) are evaluation 
contexts we need the dynamic invariants of the machine. 

Lemma 6.1 (CEK Invariants). Let s = u\e\irbea CEK reachable 
state whose initial code t is well-named. Then: 

1. Closure: every closure in s is closed; 

2. Subterm: any code in s is a literal subterm oft; 

3. Value: any code in e is a value and, for every element of tt of 
the form f (u, e'), u is a value; 

4. Contextual Decoding: 7r andji(e) are left-to-right call-by-value 
evaluation contexts. 

5. Name: any closure in s is well-named. 

6. Environment Size: the length of any environment in s is bound 
by \t\. 

We have everything we need: 

Theorem 6.2 (CEK Distillation). (CEK, Value LR , =, j_) is a reflec- 
tive distillery. In particular, on a reachable state s we have: 

1. Commutative 1: if s -> C1 s' then s = s_; 

2. Commutative 2: if s -^ C2 s' then s = s_. 

3. Multiplicative: if s s' then s — ° m s_; 

4. Exponential: if s ^ e s' then s -^> e = t/_; 

Proof. Properties of the decoding: in the following cases, evalua- 
tion will always takes place under a context that by Lemma 6.1.4 
will be a left-to-right call-by-value evaluation context, and simi- 
larly structural equivalence will alway be used in a weak context, 
as it should be. 

1. Commutative 1. We have tu \ e \ tt -> C1 t \ e \ a(u, e) :: tt, 
and: 

t u | e | tt = TT(e(tu}} =q 

Tr(e(t}e(u)) = t \ e \ a(u, e) :: tt 

2. Commutative 2. We have v \ e \ &(u, e') :: tt -^ C2 u \ e! \ 
f (^J, e) :: tt, and: 

v | e | a(w, e') :: tt = zr{e{u)e^ii}) 

u | e | f (y, e) :: tt 

3. Multiplicative. We have v \ e \ f(Xx.t,e) :: tt u \ 
[x+-(v, e)] :: e' | tt, and: 

v | e | f (Xx.t, e) :: tt = TT_(e_(Xx.t}e(v)) -^> m 
t | [x^(v, e)] :: e \tt 

4. Exponential. Let e = e" :: [x<~(i, e')] :: e'". We have x \ e \ 
tt -> e 1 1 e' | tt, and: 



Tr(e(x)) 

*(er(er{x)[x^eUi)])) 



t\e'\ 



We can apply -^> e since by Lemma 6.1.3, t is a value. We also 
use that by Lemma 6.1.1, e_(t) is a closed term to ensure that 
and can be garbage collected. 



Progress. Let 
s — o u. If i is 



t I e I 7r be a commutative normal form s.t. 



tu 


e 


TT ->ci 


u 


e 


V 


e 


f(i,e')"7r ^c 2 


t 


e 


Xx.t 


e 


a(c) :: 7r ->- m 


t 


[x<-c] :: e 


X 


e 


TT -> e 


t 


e 



• an application uw. Then a -> C1 transition applies and s is not a 
commutative normal form, absurd. 

• an abstraction v: by hypothesis, n cannot be of the form a(c) :: 
71"'. Suppose it is equal to e. We would then have s = e{v), 
which is a call-by-value normal form, because e is a substitution 
context. This would contradict our hypothesis, so 7r must be 
of the form f(u, e') :: 7t'. By point 3 of Lemma 6.1, u is an 
abstraction, hence a transition applies. 

• a variable x: by point 1 of Lemma 6.1, e must be of the form 
e :: [a;<-c] :: e", so a -»■„ transition applies; □ 

6.2 Right-to-Left Call-by- Value: the Leroy Abstract Machine 

The transitions of the LAM are: 

f(i,e) :: tt 
a(«, e) :: 7r 

7T 
7T 

where -»■„ takes place only if e = e" :: [:r<-(t, e')] :: e'". 

We omit all the proofs (that can be found in the appendix, page 
22) because they are minimal variations on those for the CEK. 

Lemma 6.3 (LAM Invariants). Let s = u \ e | tt be a LAM 

reachable state whose initial code t is well-named. Then: 

1. Closure: every closure in s is closed; 

2. Subterm: any code in s is a literal subterm oft; 

3. Value: any code in e is a value and, for every element of tt of 
the form a(«, e ), u is a value; 

4. Contexts Decoding: 7r and 7r(e) are right-to-left call-by-value 
evaluation contexts. 

5. Name: any closure in s is well-named. 

6. Environment Size: the length of any environment in s is bound 
by \t\. 

Theorem 6.4 (LAM Distillation). {LAM, Value RL , =, j_) is a re- 
flective distillery. In particular, on a reachable state s we have: 

1. Commutative 1: if s -* C1 s' then s = 

2. Commutative 2: if s -^ C2 s' then s = f/_. 

3. Multiplicative: if s s then s s_; 

4. Exponential: if s s' then s -^ e = /; 

7. Towards Call-by-Need: the MAM and the Split 
CEK 

In this section we study two further machines: 

1. The Milner Abstract Machine (MAM), that is a variation over 
the KAM with only one global environment and without the 
concept of closure. Essentially, it unveils the content of distance 
rules at the machine level. 



2. The Split CEK (SCEK), obtained disentangling the two uses of 
the stack (for arguments and for functions) in the CEK. The 
split CEK can be seen as a simplification of Landin's SECD 
machine [30]. 

The ideas at work in these two case studies will be combined in the 
next section, obtaining a new simple call-by-need machine. 

7.1 Milner Abstract Machine 

The linear substitution calculus suggests the design of a simpler 
version of the KAM, the Milner Abstract Machine (MAM), that 
avoids the concept of closure. At the language level, the idea is 
that, by repeatedly applying the axioms =du P and =@ of the struc- 
tural equivalence, explicit substitutions can be folded and brought 
outside. At the machine level, the local environments in the clo- 
sures are replaced by just one global environment that closes the 
code and the stack, as well as the global environment itself. 

Of course, naively turning to a global environment breaks the 
well-named invariant of the machine. This point is addressed using 
an Q-renaming in the variable transition, i.e. when substitution 
takes place. Here we employ the global environments E of Sect. 3 
and we redefine stacks as n ::= e | t ■■ n. A state of the MAM is 
given by a code t, a stack n and a global environment E. Note that 
the code and the stack together now form a code. 

The transitions of the MAM are: 



tu 


TT 


E ^ c 


t 


u :: tt 


E 


Xx.i 


u :: tt 


E 


t 


TT 


[><-«] :: E 


X 


TT 


E ^ e 


T 


TT 


E 



where takes place only if E = E" (E'[x^-t]) and t" is a well- 
named code a-equivalent to t and s.t. any bound name in t is fresh 
with respect to those in n and E 1 . 

The decoding of a MAM state t \ tt \ E is similar to the 
decoding of a KAM state, but the stack and the environment context 
are applied in reverse order (this is why stack and environment in 
MAM states are swapped with respect to KAM states): 



1 := <•) 
Lur := K((-)i) 



[x<-t] :: E := E{{-)[x<-t]) 
t\ir\E := E_(TT(i)) 



We call global closure associated to state 1 1 tt | E the pair (t7T, E). 

As for the KAM, the decoding of contexts can be done statically, 
i.e. it does not need dynamic invariants. 

Lemma 7.1 (Contextual Decoding). E is a substitution context, 
and both tt and tt(E) are evaluation contexts. 

For the dynamic invariants we need a different notion of closed 
closure. 

Definition 7.2. Given a global environment E and a code i, 
we define by mutual induction two predicates E is closed and 
it, E) is closed as follows: 



(t, E) is closed 
f v(t) c A(E) A E is closed 

The dynamic invariants are: 



e is closed 

[x^t] :: E is closed 

(t,E) is closed 



Lemma 7.3 (MAM invariants). Let s = it | tt \ E be a MAM state 
reached by an execution p of initial well-named code t. Then: 



1 The well-named invariant can be restored also in another way. One can 
simply substitute t (instead oft") but modify as follows (with y fresh): 

Xx.t I tt :: 7T I E t{x^y} I n I [y<-ti] :: E 



tu 

V 
V 
X 



e [x<^(v, e')] :: e" 



7T D 

(i,e')"7r D 

e {{Xx.t, e'), 7r) :: D 
7T L> 



*c 2 



e 
e' 



[x<^{v, e)] :: e' 

e 



(u,e) ; 

£ 
7T 
7T 



D 

((w,e),7r) ::D 
D 
D 



Figure 2. The Split CEK, aka the revisited SECD. 



1. Global Closure: the global closure (I-k, E) of s is closed; 

2. Subterm: any code in s is a literal subterm oft; 

3. Names: the global closure of s is well-named; 

4. Environment Size: the length of the global environment in s is 
bound by \p\ m - 

Abstract Considerations on Concrete Implementations. Note the 
new environment size invariant, whose bound is laxer than for local 
environment machines. Let p be a execution of initial code t. If 
one implements -* e looking for x in E sequentially, then each 
->-e transition has cost \p\ m (more precisely, linear in the number 
of preceding ->- m transitions) and the cost of implementing p is 
easily seen to become quadratic in |p|. An efficient implementation 
would then employ a representation of codes such that variables are 
pointers, so that looking for x in E takes constant time. The name 
invariant guarantees that variables can indeed taken as pointers, as 
there is no name clash. Note that the cost of a -* e transition is 
not constant, as the renaming operation actually makes -* e linear 
in \t\ (by the subterm invariant). So, assuming a pointer-based 
representation, p can be implemented in time O ( | p\ • 1 1 1 ) , as for local 
machines, and the same will hold for every global environment 
machine. 

Theorem 7.4 (MAM Distillation). {MAM, Name, =, j_) is a reflec- 
tive distillery. In particular, on a reachable state s we have; 

1. Commutative: if s -><a s' then s = /; 

2. Multiplicative: if s s then s -^> m = s_; 

3. Exponential: if s s' then s -^> e = a s_. 

Proof. Properties of the decoding {progress is as for the KAM): 

1. Commutative. In contrast to the KAM, -* c gives a true identity: 

tu\n\E = E(n{tu}} = t | u :: tt | E 

2. Multiplicative. Since substitutions and evaluation contexts com- 
mute via = (Lemma 2.4), ->- m maps to: 

Xx.t\u::n\E = E{n{{\xi)u)) 

E{n(i[x^-U]}) =Lem.2A 

E{n{t)[x^-u]) 

t | 7T j [X<-U] ■■: E 

3. Exponential. The erasure of part of the environment of the 
KAM is replaced by an explicit use of a-equivalence: 

x | 7T | E :: [x<-u] :: E' = &{E{n{x))[x<^-u]) ^> e 

ft_{E{K{u))[x^-u]) 
E^{E{ K {u a ))[x^u]) 
u a | 7T | E :: [x<-u] E' 

□ 

Digression about =. Note that in the distillation theorem struc- 
tural equivalence is used only to commute with stacks. The calcu- 
lus and the machine in fact form a distillery also with respect to the 
following simpler notion of structural equivalence. Let =mam be the 



smallest equivalence relation generated by the closure by (call-by- 
name) evaluation contexts of the axiom =cm in Fig. 1 (page 4). The 
next lemma guarantees that = M am is a strong bisimulation (the proof 
is in the appendix, page 23), and so = MAM provides another MAM 
distillery. 

Lemma 7.5. = M am is a strong bisimulation with respect to — «. 

7.2 The Split CEK, or Revisiting the SECD Machine 

For the CEK machine we proved that the stack, that collects 
both arguments and functions, decodes to an evaluation context 
(Lemma 6.1.4). The new CBV machine in Fig. 2, deemed Split 
CEK, has two stacks: one for arguments and one for functions. Both 
will decode to evaluation contexts. The argument stack is identical 
to the stack of the KAM, and, accordingly, will decode to an ap- 
plicative context. Roughly, the function stack decodes to contexts 
of the form H{v{-)). More precisely, an entry of the function stack 
is a pair (c, 7r), where c is a closure {v, e), and the three com- 
ponents v, e, and n together correspond to the evaluation context 
7r(e(tJ(-))). For the acquainted reader, this new stack corresponds 
to the dump of Landin's SECD machine [30]. 

Let us explain the main idea. Whenever the code is an abstrac- 
tion v and the argument stack ty is non-empty {i.e. tt = c :: ty'), 
the machine saves the active closure, given by current code v and 
environment e, and the tail of the stack ir' by pushing a new entry 
( {v, e) , 7r') on the dump, and then starts evaluating the first closure 
c of the stack. The syntax for dumps then is 

D::=e \ (c,7r) :: D 

Every dump decodes to a context according to: 

e := {■) {{v,e),7v) ::D := D(n(e(v(-)))) 

The decoding of terms, environments, closures, and stacks is as 
for the KAM. The decoding of states is defined as t \ e | n | D := 
D(Tr(e(t) )}. The proofs for the Split CEK are in the appendix (page 
23). 

Lemma 7.6 (Split CEK Invariants). Let s = u\ e\ ir\Dbea Split 
CEK reachable state whose initial code t is well-named. Then: 

1. Closure: every closure in s is closed; 

2. Subterm: any code in s is a literal subterm oft; 

3. Value: the code of any closure in the dump or in any environ- 
ment in s is a value; 

4. Contextual Decoding: D, D{tl)> an d H{ll{e)) are left-to-right 
call-by-value evaluation context. 

5. Name: any closure in s is well-named. 

6. Environment Size: the length of any environment in s is bound 
by \t\. 

Theorem 7.7 (Split CEK Distillation). (Split CEK, Value LR , j_) is 
a reflective distillery. In particular, on a reachable state s we have: 

1. Commutative 1: if s -> C1 s then s = sj 

2. Commutative 2: if s -^ C2 s' then s = 

3. Multiplicative: if s s' then s — ° m s_; 

4. Exponential: if s ^ e s' then s -^> e = s_. 
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Figure 3. The Wadsworth Abstract Machine (WAM). 



8. Call-by-Need: the WAM and the Merged WAM 

A new abstract machine for call-by-need, deemed Wadsworth Ab- 
stract Machine (WAM), is shown in Fig. 3. It is obtained from the 
KAM by two tweaks: 

1. It uses the dump-like approach of the Split CEK/SECD to 
evaluate inside explicit substitutions 

2. It uses the global environment approach of the MAM to imple- 
ment memoization; 

Whenever the code is a variable x and the environment has the 
form Ei [x-t-i] :: E 2 , the machine jumps to evaluate t saving 
the prefix of the environment Ei, the variable x on which it will 
substitute the result of evaluating t, and the stack tt. In Sect. 9, we 
will present a variant of the WAM that avoids the splitting of the 
environment saving E\ in a dump entry. 

The syntax for dumps is 

D::=e \ (E,x,tt) :: D 

Every dump stack decodes to a context according to: 

e := (•) (E,x,tt) ::D := E{D{ K {x)))[x<-{-)] 

The decoding of terms, environments, and stacks is defined as 
for the KAM. The decoding of states is defined as i \ tt \ D \ E := 

E(D(n (i))). The decoding of contexts is static: 

Lemma 8.1 (Contextual Decoding). D, D(ty), E{D), and 
E{D(n)) are call-by-need evaluation contexts. 

Closed closures are defined as for the MAM. Given a state 
s = t | tt | D | Eo with D = (Ei,xi,lTi) ::...:: (E„,x n ,ir n ), its 
closures are (n{t), Eo) and, for i s {1, . . . , n}, 

(ni{Xi), Ei :: [xii- 7U-i (xi-i)] ::...:: [xi<-n(t)] :: Eo). 

The dynamic invariants are: 

Lemma 8.2 (WAM invariants). Let s = t \ tt \ D \ E a be a 

WAM reachable state whose initial code t is well-named, and s.t. 
D = (Si,xi,7Ti) ::...:: (E n ,x„,n n ). Then: 

1. Global Closure: the closures of s are closed; 

2. Subterm: any code in s is a literal subterm oft; 

3. Names: the closures of s are well-named. 

For the properties of the decoding function please note that, 
as defined in Sect. 2, the structural congruence for call-by-need is 
different from before. 

Theorem 8.3 (WAM Distillation). (WAM, Need, j_) is a reflective 
distillery. In particular, on a reachable state s we have: 

1. Commutative 1: if s -* C1 s' then s = 

2. Commutative 2: if s -^ C2 s' then s = 

3. Multiplicative: if s s' then s ^> m = 

4. Exponential: if s ^ e s' then s -^> e = a §^_. 

Proof. 1. Commutative 1. 

tu | tt | D | E = E(D(Tr(tu))) =t\u::n\D\E 



2. Commutative 2: 
x I tt I D I Ei : 



[x<-t] :: E 2 = E^{Ei{D(TT{x)))[x^i]) 

t\e \ {E 1 ,x,%) ::D\E 2 

3. Multiplicative. 

Xx.t \u::n\D\E = E{D{ir{(Xx.t)u))) 

MD{K{t[x*-u]))) = Lem .2A 

E(D(z(i))[^u]) = 
t\ir\D \ [x*-u] :: E 

Note that to apply Lemma 2.4 we use the global closure invari- 
ant, as u, being on the stack, is closed by E and so D does not 
capture its free variables. 

4. Exponential. 

v\e\(E!,x,Tv) ::D\E 2 



Progress. Let s = t \ tt 
s — o u. If i is 



E 1 (E A (D( 7 i(x)))[x^v]) 
&{Ei{D(z(v)))[x<-v]) 
MMDdL^mx^-v}) 
v a I tt I D | Ex :: [x^v] :: E 2 

D I E be a commutative normal form s.t. 



1. an application uw. Then a -> C1 transition applies and s is not a 
commutative normal form, absurd. 

2. an abstraction v. The decoding s is of the form E_{D{tt_(v))) . 
The stack it and the dump D cannot both be empty, since then 
s = E(v) would be normal. So either the stack is empty and 
a transition applies, or the stack is not empty and a 
transition applies. 

3. a variable x. By Lemma 8.2.1 it must be bound by E, so a 
-^ C2 transition applies, and s is not a commutative normal form, 
absurd. □ 

8.1 The Merged WAM, or Revisiting the Lazy KAM 

Splitting the stack of the CEK machine in two we obtained a 
simpler form of the SECD machine. In this section we apply to the 
WAM the reverse transformation. The result is a machine, deemed 
merged WAM, having only one stack and that can be seen as a 
simpler version of the lazy KAM. 

To distinguish the two kinds of objects on the stack we use a 
marker, as for the CEK and the LAM. Formally, the syntax for 
stacks is: 

tt ::= e | a(t) :: tt \ h(E, x) :: tt 

where a(t) denotes a term to be used as an argument (as for the 
CEK) and h(E, x, tt) is morally an entry of the dump of the WAM, 
where however there is no need to save the current stack. The 
transitions of the Merged WAM are in Fig. 4. 
The decoding is defined as follows 



[><-£] :: E 
h(E,x) :: tt 
a(i) :: tt 
1\tt\E 



£«•>[*«-*]> 

£<*<*»[*«-<•>] 

£«•>*> 



tu 
Xx.t 

x 



TT 

Sl(u) :: tt 

TT 

h(E 1: x) TT 



E 
E 

E 1 :: [x<-i] ■■■■ E 2 
E 2 



a(u) :: tt 

TT 

h(E ly x) ■■: tv 

TT 



E 

[x<-u] ■■■■ E 
E 2 

E x :: [x<-v] E 2 



Figure 4. The Merged WAM. 
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Figure 5. The Pointing WAM. 



Lemma 8.4 (Contextual Decoding). tt_ and E(tt) are call-by-need 
evaluation contexts. 

The dynamic invariants of the Merged WAM are exactly the 
same of the WAM, with respect to an analogous set of closures 
associated to a state (whose exact definition is omitted). The proof 
of the following theorem — almost identical to that of the WAM 
— is in the appendix (page 23). 

Theorem 8.5 (Merged WAM Distillation). 

(Merged WAM, Need, jj is a reflective distillery. In particu- 
lar, on a reachable state s we have: 

1. Commutative 1: if s -* C1 s ' then s = 

2. Commutative 2: if s -^ C2 s' then s = s[; 

3. Multiplicative: if s s' then s ^> m = s^; 

4. Exponential: if s s' then s -^> e = a 

9. The Pointing WAM, or Revisiting Sestoft's AM 

In the WAM, the global environment is divided between the envi- 
ronment of the machine and the entries of the dump. On one hand, 
this choice makes the decoding very natural. On the other hand, one 
would like to keep the environment in just one place, letting the 
dump only collect variables and stacks. This is what we do here, 
exploiting the fact that variable names can be taken as pointers (see 
the discussion after the invariants in Sect. 7.1). The new machine, 
called Pointing WAM, is in Fig. 5, and uses a new dummy constant 
□ for the substitutions whose variable is in the dump. It can be seen 
as a simpler version of Sestoft's abstract machine [39]. Dumps and 
environments (called hyperstacks and heap by Sestoft) are defined 
by: 



D 

E 



(x, 71") : 
[*«-«] : 



D 

E\ 



[>«-□] :: E 



A substitution of the form [»<-□] is dumped, and we also say 
that x is dumped. 

Note that the variables of the entries in D appear in reverse order 
with respect to the corresponding substitutions in E. We will show 
that fact is an invariant, called duality. 

Definition 9.1 (Duality ElD). Duality ElD between environ- 
ments and dumps is defined by 



1. ele; 

2. E :: [a* 

3. E :: [x* 



t]lD if ElD; 

□ ]l(x,7r) :: D if ElD. 



Note that in a dual pair the environment is always long at least 
as the dump. A dual pair ElD decodes to a context as follows: 



(E:: [£<-□], (s.tt) :: D) 
(E:: [x^i],(y,TT) :: D) 



= E 

= (E,D) {n{x))[x^{-)] 
= (£,(y,7T) ::£>)[*«"*] 



The analysis of the Pointing WAM is based on a complex 
invariant that includes duality plus a generalization of the global 
closure invariant. We need an auxiliary definition: 

Definition 9.2. Given an environment E, we define its slice E \ as 
the sequence of substitutions after the rightmost dumped substitu- 
tion. Formally: 



(E:: [>-t])1 
(E:: [a^D])1 



= E]::[x<-t] 
e 



Moreover, if an environment E is of the form Ex - [#<-□] :: E2, we 
define E\ x := Ex 1 " [x*-d] " E 2 . 

The notion of closed closure with global environment (Sect. 7. 1) 
is extended to dummy constants □ as expected. 

Lemma 9.3 (Pointing WAM invariants). Let s = t\ E \ tt \ D be a 

Pointing WAM reachable state whose initial code t is well-named. 
Then: 

1. Subterm: any code in s is a literal subterm oft; 

2. Names: the global closure of s is well-named. 

3. Dump-Environment Duality: 

(a) {jrff),E\) is closed; 

(b) for every pair (x, tt') in D, (ji_(x),E] x ) is closed; 

(c) ElD holds. 

4. Contextual Decoding: (E, D) is a call-by-need evaluation con- 
text. 

Proof. In the appendix, page 24. □ 

The decoding of a state is defined as t \ tt \ D \ E := 
(E,D) ( K (t)}. 

Theorem 9.4 (Pointing WAM Distillation). 
(Pointing WAM, Need, j_) is a reflective distillery. In particu- 
lar, on a reachable state s we have: 

1. Commutative 1 & 2: if s -> C1 s' or s -^ C2 s' then s = s_; 

2. Multiplicative 1 & 2: if s ~~*m\ S OF S $ then S_ °m = S 



3. Exponential: if s -+ e s' then s -^> e = a s_; 
Proof. Properties of the decoding: 
1. Conmutative 1. We have 

tu\ir\D\E = (E,D)(Tv(iu)) 



t\u::n\D\E 



1, Conmutative 2. Note that E2 has no dumped substitutions, since 
Ei :: [><-□] :: E 2 t(x, 7r) :: D. Then: 

a; I 7T I D I £1 :: [x^-t] :: £2 



ga( (Si,£>) (jr(3!))[3:<-«]) 

t I e I (x,ir) :: D I Si :: [><-□] :: E 2 

3. Multiplicative, empty dump. 

Xx.t I u :: 7r I e \ E = e(ir((Xx.i)u)) -», 

e(7r(t[iE<-w])) =q ; Lem.2.4 

e(iv(i)[x^-u]) 

i I 7T I e I [an-u] :: E 

4. Multiplicative, non-empty dump. 

Xx.t \ u :: tt \ (y , Q :: g I gi :: [y+-p] :: £ 2 = 

e3( (gi,D) (7r:<y))[y<-7r((Aa!.t)ti)]) 

g2( Cgi, D) (^(y)) [y<-n(i[x<-u] )] ) = Lem .2A 

e2( (E u D) (i/(y))[y^ir(i)][x^u]) 

t\n\ (y,n') ::D\E 1 :: [y^p] :: [x+-u] :: g 2 

5. Exponential. 

v\e\(x,Tv)::D\E 1 ::[x^n]::E 2 = 

£2( (Ei,D) (E.(x))[x^v]} 

ga( (£i,P) (7r(«))[a;<-i>]) 

ga( (gi,D) (7r(i; a ))[a!<-t)]) 

<J g I 7T I D I gi :: [x^v] :: £ 2 

Progress. Let s = i|7r|D|i5bea commutative normal form s.t. 
s — o m. If i is 

• a« application uw. Then a -> C1 transition applies and s is not a 
commutative normal form, absurd. 

• a variable x. By the machine invariant, x must be bound by E\ . 
So E = Ei :: [x^-u] :: E2, a -^ C2 transition applies, and s is not 
a commutative normal form, absurd. 

• an abstraction v. Two cases: 

■ The stack ty is empty. The dump D cannot be empty, since if 
D = e we have that s = e(v) is normal. So D = (x, ir') ■■ D' . 
By duality, E = Ei :: [x-s-d] :: E2 and a ^ e transition 
applies. 

■ The stack ir is non-empty. If the dump D is empty, the 
first case of applies. If D = (x, ty') :: D', by duality 
E = Ei :: [£<-□] :: E2 and the second case of -> m 
applies. □ 

10. Distillation Preserves Complexity 

Here, for every abstract machine we bound the number of commu- 
tative steps \p\ c in an execution p in terms of 

1. the number of principal steps \p\ p , 

2. the size \t\ of the initial code i. 

The analysis only concerns the machines, but via the distillation 
theorems it expresses the length of the machine executions as a 
linear function of the length of the distilled derivations in the 
calculi. For every distillery, we will prove that the relationship is 
linear in both parameters, namely \p\ c = 0(\t\ ■ \p\ p ) holds. 



Definition 10.1. Let Kbe a distilled abstract machine and p: s 
s' be an execution of initial code t. M is 

1. Globally bilinear if\p\ c = 0((\t\ + 1) • \p\ p ). 

2. Locally linear if whenever s' s" then k = 0(|t|). 

The next lemma shows that local linearity is a sufficient condi- 
tion for global bilinearity. 

Proposition 10.2 (Locally Linear => Globally Bilinear). Let M be 

a locally linear distilled abstract machine, and p an execution of 
initial code t. Then M is globally bilinear. 



Js. m h„ 



Proof. The execution p writes uniquely as ^-J? 1 -s-p 1 
By hypothesis ki = 0(\i\) for every i € {1, . . . , m}. From m < \p\ p 
follows that \p\ c = 0(\i\ ■ \p\ p ). We conclude with |p| = \p\ p + \p\ c = 
\ P \ P + 0(\t\-\p\ P ) = 0((\t\ + l)-\p\ p ). ' □ 

Call-by-name and call-by-value machines are easily seen to be 
locally linear, and thus globally bilinear. 

Theorem 10.3. KAM, MAM, CEK, LAM, and the Split CEK are 
locally linear, and so also globally bilinear. 

Proof. 1 . KAM/MAM. Immediate: reduces the size of the code, 

that is bounded by \t\ by the subterm invariant. 
2. CEK. Consider the following measure for states: 



#{u\ 



is. iM + N 



if tt = a(w, e') :: 7r' 
otherwise 



By direct inspection of the rules, it can be seen that both 



and 



transitions decrease the value of # for CEK states, 



and so the relation 



terminates (on reachable states). 



Moreover, both |m| and |w| are bounded by \t\ by the subterm 
invariant (Lemma 6.1.2), and so k < 2 • \i\ = 0(\t\). 
3. LAM and Split CEK. Minor variations over the CEK, see the 
appendix (page 25) □ 

Call-by-need machines are not locally linear, because a se- 



quence of -^ C2 steps (remember 



2 ) can be as long 



as the environment e, that is not bound by \t\ (as for the MAM). 
Luckily, being locally linear is not a necessary condition for global 
bilinearity. We are in fact going to show that call-by-need machines 
are globally bilinear. The key observation is that \p\ C2 is not only 
locally but also globally bound by \p\ p , as the next lemma formal- 
izes. 

We treat the WAM. The reasoning for the Merged WAM and for 
the Pointing WAM is analogous. Define |e| := 0 and \ (E,x,n) :: 
D\ := 1 + |£>|. We have: 

Lemma 10.4. Let s = t\ n\ D\ Ebea WAM state, reached by 
the execution p. Then 

1. |p| C2 =|p|e + P|- 

2. \E\ + \D\ < \p\ m 

3- |P| C2 <|p|e + |p|m = |p|p 

Proof. 1. Immediate, SIS — *~C2 ^ 

the only transition that pushes 
elements on D and is the only transition that pops them. 

2. The only rule that produces substitutions is -> m . Note that 1) 
-^ C2 and preserve the global number of substitutions in a 
state; 2) e and D are made out of substitutions, if one considers 
every entry (e, x, ty) of the dump as a substitution on x (and so 
the statement follows); 3) the inequality is given by the fact that 
an entry of the dump stocks an environment (counting for many 
substitutions). 

3. Substitute Point 2 in Point 1. □ 



Theorem 10.5. The WAM has globally linear commutations. 

Proof. Let p be an execution of initial code t. Define -»--, cl :=-»- e 
u ->- m u -^ C2 and note |p|^ ci the number of its steps in p. We 
estimate -^ C :=^ C1 u -^ C2 by studying its components separately. 
For ->- C2 , Lemma 10.4.3 proves \p\ C2 < \p\ p = 0(\p\ p ). For -> C1 , 
as for the KAM, the length of a maximal -> C1 subsequence of p is 
bounded by \t\. The number of -> C1 maximal subsequences of p is 
bounded by |p|^ ci , that by Lemma 10.4.3 is linear in 0(\p\ p ). Then 
|p| ci = 0(\t\ ■ \p\ v ). Summing up, 

\p\c 2 + \p\ ci = 0(\p\ p ) + 0(\t\ ■ \p\ p ) = 0((\t\ + 1) • \p\ p ) □ 
11. Conclusions 

The novelty of our study consists in using the linear substitution 
calculus (LSC) to discriminate between abstract machine transi- 
tions: some of them — the principal ones — are simulated, and thus 
shown to be logically relevant, while the others — the commutative 
ones — are sent on the structural congruence and have to be consid- 
ered as bookkeeping operations. On one hand, the LSC is a sharp 
tool to study abstract machines. On the other hand, it provide an 
alternative framework which is simpler while being conservative at 
the level of complexity analysis. 
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A. Technical Appendix: proofs of the 

determinism of the calculi (Proposition 2.1) 
A.1 Call-by-Name 

Let t = .ffi(ri) = H^rs). By induction on the structure of t. Cases: 

• Variable or an abstraction. Vacuously true, because there is 
no redex. 

• Application. Let t = uw. Suppose that one of the two evalu- 
ation contexts, for instance Hi, is equal to (•}. Then, we must 
have u = Xx.u', but in that case it is easy to see that the re- 
sult holds, because H2 cannot have its hole to the right of an 
application (in to) or under an abstraction (in u ). We may then 
assume that none of Hi , H2 is equal to (•}. In that case, we must 
have Hi = H[w and H2 = H' 2 w, and we conclude by induction 
hypothesis. 

• Substitution. Let t = u[x<-w]. This case is entirely analogous 
to the previous one. 

A.2 Left-to-Right Call-by- Value 

We prove the following statement, of which the determinism of the 
reduction is a consequence. 

Lemma A.l. Let t be a term. Then t has at most one suhterm u 
that verifies both (i) and (ii): 

(i) Either u is a variable x, or u is an application L(v)L' (v r ), for 

v, v being values, 
(ii) u is under a left-to-right call-by-value evaluation context, i.e. 

t = V(u). 

From the statement it follows that there is at most one -^>-redex 
in t, i.e. — o is deterministic. 

Proof, by induction on the structure of t: 

• t is a variable. There is only one subterm, under the empty 
evaluation context. 

• t is an abstraction. There are no subterms that verify both (i) 
and (ii), since the only possible evaluation context is the empty 
one. 

• t is an application w r. There are three possible situations: 

■ The left subterm w is not of the form L(v). Then u cannot 
be at the root, i.e. u + t. Since w{-) is not an evaluation 
context, u must be internal to (-)r, which is an evaluation 
context. We conclude by i.h.. 

■ The left subterm w is of the form L(v) with v a value, but 
the right subterm r is not. Then u cannot be a subterm of 
w, and also u + t. Hence, if there is a subterm u as in the 
statement, it must be internal to the evaluation context w(-). 
We conclude by i.h.. 

• Both subterms have that form, i.e. w = L{v) and r = L'{v') 
with v and v' values. The only subterm that verifies both (i) 
and (ii) is u = t. 

• t is a substitution w[x<-r]. Any occurrence of u must be 
internal to w (because w[a;<-(-)] is not an evaluation context). 
We conclude by i.h. that there is at most one such occurrence. 

□ 

A.3 Right-to-Left Call-by- Value 

Exactly as in the case for left-to-right call-by-value, we prove 
the following property, from which determinism of the reduction 
follows. 

Lemma A.2. Let t be a term. Then t has at most one subterm u 
that verifies both (i) and (ii): 



(i) u is either a variable x or an application L(v}L'(v'}, where v 

and v' are values, 
(ii) u is under a right-to-left call-by-value evaluation context, i.e. 
t = S(u). 

As a corollary, any term t has at most one -^>-redex. 
Proof. By induction on the structure of t: 

• Variable or abstraction. Immediate. 

• Application. If t = w r, there are three cases: 

■ The right subterm r is not of the form L'(v'). Then u cannot 
be at the root. Since (•) r is not an evaluation context, u must 
be internal to r and we conclude by i.h.. 

■ The right subterm r is of the form L'(v') but the left subterm 
w is not. Again u cannot be at the root. Moreover, r has 
no applications or variables under an evaluation context. 
Therefore u must be internal to w and we conclude by i.h.. 

■ Both subterms have that form, i.e. w = L(v) and r = 
L'{v'). We first note that w and r have no applications or 
variables under an evaluation context. The only possibility 
that remains is that u is at the root, i.e. u = t. 

• Substitution. If t = w[x<~r] is a substitution, u must be 
internal to w (because w[a;<-(-)] is not an evaluation context), 
and we conclude by i.h.. 

□ 

A.4 Call-by-Need 

We first need an auxiliary result: 

Lemma A.3. Let t := N(x) for an evaluation context N such that 
x € f v(i). Then: 

1. for every substitution context L and abstraction v,t + L(v); 

2. for every evaluation context N and variable y, t = N (y) 
implies N = N and y = x; 

3. t is a call-by-need normal form. 

Proof. In all points we use a structural induction on N. For point 1 : 

• N = (■): obvious. 

• N = Niu: obvious. 

• N = Ni[y*-w~\: suppose that L = L'[y^w] (for otherwise the 
result is obvious); then we apply the induction hypothesis to Ni 
to obtain Ni(x) * L'(v). 

• N = Ni(y}[y<-N 2 ]: suppose that L = L'[y*-N 2 {x)] (for 
otherwise the result is obvious); then we apply the induction 
hypothesis to Ni to obtain Ni(y) + L'(v). 

For point 2: 

• N = (■): obvious. 

• N = Niu: we must necessarily have A*" = N[u and we 
conclude by induction hypothesis. 

• N = Ni [z<-u] : in principle, there are two cases. First, we may 
have N' = N[[z^u], which allows us to conclude immedi- 
ately by induction hypothesis, as above. The second possibility 
would be N' = N[(z) [z*-N' 2 \, with N2 (y) = u, but this is actu- 
ally impossible. In fact, it would imply Ni(x) = N[(z), which 
by induction hypothesis would give us 2 = x, contradicting the 
hypothesis x e fv(t). 

• N = Ni{z)[z^-N2]: by symmetry with the above case, the only 
possibility is N' = Ni(z)[z^-N 2 ], which allows us to conclude 
immediately by induction hypothesis. 



For point 3, let r be a redex (i.e., a term matching the left hand 
side of i-^dB or h* 1st ) and let N' be an evaluation context. We will 
show by structural induction on N that t * N'(r). We will do this 
by considering, in each inductive case, all the possible shapes of 
N'. 

• N = {•): obvious. 

• N = Niu: the result is obvious unless N' = (■) or N' = N[u. 
In the latter case, we conclude by induction hypothesis (on Ni). 
In the former case, since r is a redex, we are forced to have 
r = L(v)u for some abstraction v, substitution context L and 
term u . Now, even supposing u' = u, we are still allowed to 
conclude because Ni{x) * L{v) by point 1. 

• N = Ni [j/<-w] : the result is obvious unless: 

■ N' = (•}: this time, the fact that r is a redex forces r = 
N{(y)[y^u]. Even if we admit that u = L(v), we may 
still conclude because x + y (by the hypothesis x 6 f v(t)), 
hence 7Vi(a;) * N[(y) by point 2. 

■ N' = N[[y^u]: immediate by induction hypothesis on Ni. 

■ N' = N[(y)[y<^N' 2 \. even if N 2 (r) = u, we may still 
conclude because, again, x * y implies Ni(x) * N[(y) 
by point 2. 

• N = Ni(y)[y<-N 2 ]: again, the result is obvious unless: 

■ N' = (•): the fact that r is a redex implies r = 
N[(y)[y^L(v)]. Even assuming N[ = Ni, we may still 
conclude because N 2 {x) + L(v) by point 1. 

■ N' = N[[y<^N 2 {x)]: since y e fv(Ni{y)), we conclude 
because the induction hypothesis gives us Ni(y) * N[(r). 

■ N' = A r i(j/)[?/^A^2]: we conclude at once by applying the 
induction hypothesis to N2. 

□ 

Now, the proof of Proposition 2. 1 is by structural induction on 

t:=JVi(n) = N 2 (r 2 ). Cases: 

• Variable or abstraction. Impossible, since variables and ab- 
stractions are both call-by-need normal. 

• Application, t = uw. This case is treated exactly as in the 
corresponding case of the proof of Proposition 2.1. 

• Substitution, i.e. t = u[x<^w]. Cases: 

■ Both contexts have their holes in u or w. It follows from the 
i.h.. 

■ One of the contexts — say Ni — is empty, i.e. u = Ns(x), w = 
L(v), and n = N3(x)[x<-L(v)]. This case is impossible. 
Indeed, 1) the hole of N2 cannot be in L(v), because it 
is call-by-need normal, and 2) it cannot be inside Nz(x) 
because by Lemma A.3.3 N{x) is call-by-need normal. 

■ One of the contexts — say Ni — has its hole in w and the 
other one has its hole in u, i.e. N\ = N2,(x)[x^Ni\ 
and N2 = Ng[x*-w]. This case is impossible, because by 
Lemma A.3.3 N 3 (x) is call-by-need normal. 

B. Technical Appendix: proofs of strong 

bisimulation 

B.l Proof of Proposition 2.2 (= is a strong bisimulation) for 
call-by-name 

Before proving the main result, we need two auxiliary lemmas, 
proved by straightforward inductions on H: 

Lemma B.l. Let t be a term, H be a call-by-name evaluation 
context not capturing any variable in fv(t), and x £ fv(H{y)). 
Then H{t[x<-u]) = H(t)[x<-u]. 



Lemma B.2. The equivalence relation = as defined for call-by- 
name preserves the shape of H(x). More precisely, if H(x) = t, 
with x not captured by H, then t is of the form H'(x), with x not 
captured by H' . 



Now we turn to the proof of Proposition 2.2 itself. 

Let <ss» be the symmetric closure of the union of the axioms 
defining = for call-by-name, that is of = gc u =d up u =@ u = com 
u =[.]. Note that = is the reflexive-transitive closure of <ss>. The 
proof is in two parts: 



(I) Prove the property holds for <ss», i.e. if t -^> a u and t <s> w, 
there exists r s.t. w -^> a r and u = r. 

(II) Prove the property holds for = (i.e. for many steps of <ss») 
by resorting to (I). 



The proof of (II) is immediate by induction on the number 
of steps. The proof of (I) goes by induction on the rewriting 
step ^> (that, since ^> is closed by evaluation contexts, becomes a 
proof by induction on the evaluation context H ). In principle, we 
should always consider the two directions of <ss». Most of the time, 
however, one direction is obtained by simply reading the diagram 
of the other direction bottom-up, instead than top-down; these cases 
are simply omitted, we distinguish the two directions only when it 
is relevant. 



1. Base case 1: multiplicative root step t = L(\x.t')u i^ dB 
L(t'[x<-u']) = u. 

If the <ss» step is internal to u or internal to one of the substitu- 
tions in L, the pattern of the <ss» redex does not overlap with the 
i-^dB step, and the proof is immediate, the two steps commute. 
Otherwise, we consider every possible case for <ss»: 

(a) Garbage Collection = gc . The garbage collected substitution 
must be one of the substitutions in L, i.e. L must be of the 
form L'(L"[j/<-w']). Let L := L'(L"). Then: 



L(\x.t')u 

= gc 

L(\x.t')u 



dB 



-o L{t'[x<-u']) 



dB 



o L{t'[x<-u']) 



(b) Duplication =du P - The duplicated substitution must be one 
of the substitutions in L, i.e. L must be of the form 
L'(L"[y^w']).Then: 

L'(L"(Xx.t')[y^w'])u o U 



-dup 

t 2 - 



dB 



— dup 

■ o t 3 



where 

ti 
t 2 
ts 



L'(L"(t'[x^u'])[y^w']), 

L'{ (L" (\x.t')) [z]y [y^w'][z^w'] )u, 

L'{ (L"(t'[x^u'])) [z]y [y^w'][z^w'] }. 



(c) Commutation with application =®. Here =@ can only be 
applied in one direction. The diagram is: 



L(\y .t')[x<-q']u'[x^q'] 

I" 
U 



where 



t 5 



(L(\y.t')u')[x^q], 
(L(t'[y^u']))[x^q], 
(L(t'[y^u'{x^y}]) ) [x^q] [y^q] , 
L(t'[y^u'[x^q']])[x^q], 
(L(t'[y^u'{x^y}[y^q']]))[x^q] , 
(L(t'[y^u'{x^y}] [y<-q]}) [x^q] . 



O 
ti 

-dup 

t 3 



t 6 



(d) Commutation of independent substitutions = com - The sub- 
stitutions that are commuted by the = com rule must be both 
in L, i.e. L must be of the form L' (L"[y^w'][z^r']) with 
z i fv(w'). Let L = L'(L"[z^r'][y^w']). Then: 

L(\x.t')u — — O L(t'\x^u']) 



ii. The equivalence =du P acts on [x*-t']. There are two 
further sub-cases: 

• The substituted occurrence is renamed by =dup- 



-O H'(t')[x^t'] 



H'(x)[x^t'] 



H' [y] Jy}[x^t'][y^t']--- ls --ot 1 

where h := H' [y] Jt')[x^t'][y^t'] and H' [y]x is 
the context obtained from H' by renaming some 
(possibly none) occurrences of x as y. 
The substituted occurrence is not renamed by s dup . 
Essentially as in the previous case: 



H'{x)[x^t'] 



-o H'(t')[x^t'] 



-dup 



-dup 



fbiJ^Kllr''] - - - - -o h 

where h := H' [y]x {t')[x<-t'][y<-t']. 

(c) Commutation with application =@. Two sub-cases: 

i. The equivalence =<a acts on a substitution internal to 
H' . This case goes as for Garbage collection. 

ii. The equivalence =a acts on [x<-t ]. It must be the case 
that H' is of the form H"u'. Then: 



L(\x.t')u o L{t'[x<-u']) 

(e) Composition of substitutions =[.]. The substitutions that ap- 
pear in the left-hand side of the =m rule must both be in 
L, i.e. L must be of the form L' {L"[y^w'][z^r']) with 
z j. fv(L"(\x.t')). Let L = L'(L"[y^w'[z^r']]). Ex- 
actly as in the previous case: 



L(\x.t')u 

=[•] 
L(\x.t')u 



dB 



-o L{t'[x<-u']) 



dB 



o L(t'[x^u']) 



Base case 2: exponential root step t = H' (x)[x^t'] h-> 1s 
H' {t')[x^-t'] = u. If the <ss>- step is internal to t' , the proof 
is immediate, since there is no overlap with the pattern of the 
i-^i s redex. Similarly, if the <ss> step is internal to H(x), the 
proof is straightforward by resorting to Lemma B.2. 
Now we proceed by case analysis on the <ss>- step: 

(a) Garbage collection = gc . Note that = gc cannot remove 
[a:<-t'], because by hypothesis x does occur in its scope. 
If the removed substitution belongs to H' , i.e. H' = 
H"(H"'[y<-u']). Let H' := H"(H"'). Then: 



H'(x)[x^t'] 



-o H'(t')[x^t'] 



(H"{x)u')[x^t'] 



Is 



-O ti 



-o t 3 



where 



(H"(t')u')[x^t'], 
H (x)[x<^t ]u [x<^t ], 
H"{t')[x<-t']u'[x<-t']. 



(d) Commutation of independent substitutions = com . Two sub- 
cases: 

i. The equivalence = CO m acts on two substitutions internal 
to H' . This case goes as for Garbage collection. 

ii. The equivalence = CO m acts on [x<-t ]. It must be the 
case that H' is of the form H" . Then: 



Is 



O H"(t')[y^u'][x^t'] 



H"(x)[y^u'][x^t'] 



H"(x)[x^t'][y^u'] - - - - o H"(t')[x^t'][y^u'] 



-gc -gc 

ff(x)[x<-t] - - o W(t')[x^t'] 

If = gc adds a substitution as topmost constructor the dia- 
gram is analogous, 
(b) Duplication =du P - Two sub-cases: 

i. The equivalence =dup acts on a substitution internal to 
H' . This case goes as for Garbage collection. 



(e) Composition of substitutions =m. Two sub-cases: 

i. The equivalence sr.] acts on two substitutions internal 
to H'. This case goes as for Garbage collection. 

ii. The equivalence ir.i acts on [a; <-£']. Note that the equiv- 
alence =r.n cannot be applied from left to right to [a;<-i'] , 
because H'{x) must be of the form H" {x)[y<^u'] with 
x £ f v(H" (x)), which is clearly not possible. It can be 
applied from right to left. The diagram is: 



H'(x)[x<-t'[y<-u]] 

I- 

U 

by Lemma B.l 

h 

=[•] 

*6 



o 

-dup 

t 3 



tr 



where 



ti := i/'(a;)[a:«-i'] [{/<-«], 

ta :=#'<i'}[x^'][2/^u], 

t 3 : = i/'(t'{y^3})[a;^t'][3«-u][y«-u], 

i 4 := ff'(i'[y<-w])[x<-t'[j/<-u]], 

t 8 := i/'(t')[y«-it][a:«-i'[j/«-u]], 

t 6 := H'{t')[y*-u][x*-t'][y*-u], 

tr := H' (t' {y*-z})[z*-u][x*-t'][y*-u\. 

3. Inductive case 1: left of an application H = H'q. The situa- 
tion is: 

t = t'q —° a u'q = u 
for terms t', u' such that either t' -^> m u or t' — ° e m'. Two sub- 
cases: 

(a) Tfte i ui step is internal to t'. The proof simply uses the 
i.h. applied to the (strictly smaller) evaluation context of the 
step t' — ° Q u. 

(b) The t ui step involves the topmost application. The <3s> 
step can only be a commutation with the root application. 
Moreover, for t'q to match with the right-hand side of the 
=e rule, t' must have the form w'[x*-r'] and q the form 
q'[x*-r'], so that the -ss- is: 

w = (w q )[x*-r ] =@ w [x*-r ]q [x*-r ] = t 

Three sub-cases: 

i. The rewriting step is internal to w' . Then the two steps 
trivially commute. Let a e {dB, Is}: 

w'[x<-r']q'[x<-r'] — o w"[x*-r']q'[x*-r'] 



(w'q')[x*-r'] o (w"q')[x*-r'] 

ii. dB-step not internal to w' . Exactly as the multiplicative 
root case lc (read in the other direction), 
(c) ls-step not internal to w'. Not possible: the topmost con- 
structor is an application, consequently any -^> e has to take 
place in w'. 

4. Inductive case 2: left of a substitution H = H'[x*-q]. The 
situation is: 

t = t [x*-q] — ° u[x*-q] = u 
with t' = H'(t"). If the <ss> step is internal to H'(t'), the proof 
we conclude using the i.h.. Otherwise: 

(a) Garbage Collection = gc . If the garbage collected substitu- 
tion is [£<-<?] then: 

t'[x<^q] O u'[x^q] 



If the substitution is introduced out of the blue, 
i.e. t'[x<-q] = gc t' [x<-q] [y<-q'] or t'[x*-q] = gc 
t'\_y<^q'~\\x*-q\ the diagram is analogous, 
(b) Duplication =du P - If the duplicated substitution is [a-s-g] 
then: 

t'[x<^q] O u'\x^q\ 



-dup 



-O u 



dup 

: I '" ''I 



-gc 
t' - 



-gc 

-o U ' 



If duplication is applied in the other direction, i.e. t' = 
t"[y<-q] and 

t'[x*-q] = t"[y*-q][x*-q] =du P t" ' {y*-x}[x*-q] = t'[x*-q] 

the interesting case is when t" = H"(y) and the step is 
exponential: 

H" {y)[y<-q][x<-q] -^O H" (q)[y<-q][x<-q] 

—dup =dup 

H"(x){y^x}[x^q] --O H"(q){y<-x}[x<-q] 

If t' is H"{x) it is an already treated base case and if t' has 
another form the rewriting step does not interact with the 
duplication, and so they simply commute, 
(c) Commutation with application =®. Then t' = t"u" . Three 
sub-cases: 

i. The — o step is internal to t" . Then: 

(t"u")[x*-q] O (t"'u")[x<-q] 



t"[x*-q]u"[x*-q] O t"'[x^q]u"[x^q] 

ii. The — o step is a multiplicative step. If t" = L(\y.t"') 
then it goes like the diagram of the multiplicative root 
case lc (read in the other direction). 

iii. The — o step is an exponential step. Then it must be 
[a; •*-<?] that substitutes on the head variable, but this case 
has already been treated as a base case (case 2c). 

(d) Commutation of independent substitutions = com . It must 
be t' = t"[y<-q] with x i fv(g'), so that 
t"[y<-q'][x<-q] = com t"[x^q][y^q']. Three sub-cases: 

i. Reduction takes place in t" . Then reduction and the 
equivalence simply commute, as in case 4(c)i. 

ii. Exponential steps involving \x<^q\. This is an already 
treated base case (case 2(d)ii). 

iii. Exponential step involving [y<^q']. This case is solved 
reading bottom-up the diagram of case 2(d)ii. 

(e) Composition of substitutions =[.]. It must be t' 
t"[y<-q'] with x i fv(t"), so that t"[y*-q J ][xi-q] =[q 
t"[x<-q[y<-q']]. Three sub-cases: 

i. Reduction takes place in t". Then reduction and the 
equivalence simply commute, as in case 4(c)i. 

ii. Exponential steps involving [x<^q]. This case is solved 
reading bottom-up the diagram of case 2(e)ii. 

iii. Exponential step involving [y^q']. Impossible, because 
by hypothesis x i fv(t"). 

B.2 Proof of Proposition 2.2 (= is a strong bisimulation) for 
left-to-right call-by-value 

We follow the structure of the proof in Sect. B.l for call-by-name. 
Structural equivalence for call-by-value is defined exactly in the 
same way. 



Before proving the main result, we need the following auxil- 
iary lemmas, proved by straightforward inductions on the contexts. 
Lemma B.3.2 is the adaptation of Lemma B.2 already stated for 
call-by-name: 

Lemma B.3. The equivalence relation = preserves the "shapes" 
of L{v) andV(x). Formally: 

1. If L(v) = t, then t is of the form L'(v'). 

2. IfV(x) = t, with x not bound by V, then t is of the form V'(x), 
with x not bound by V' . 

Lemma B.4. L(t[x^u\) = L{t[x<-L(u)]) 

Proof. By induction on L. The base case is trivial. For L = 
£'{•) by i.h. we have: 

L (t[x<^u])[y<^w] = L (t[x<^L (u)])[y<^w] 

Let (L'(u))[ z ] be the result of replacing all occurrences of y by z 
in L'(u). Then: 

L'(t[x^L'(u)])[y^w] 
=du P L'(t[x<-(L'(u)) [z]y ]}[y^w][z^w] 
=*com L'(t[x<-(L'(u)) [z]y ][z<-w])[y<-w] 
=[•] L '{t[xHL'{u)) [z]y [>«-«;] ])[y«-u>] 

L'(t[x<-L'(u}[y<-w]]}[y^w] 

□ □ 
Now we prove the strong bisimulation property, by induction on 



1. Base case 1: multiplicative root step t = L(\x.t'}L'(v) i-^ d Bv 
u = L(t' [x<- L' (v)]) . The nontrivial cases are when the <s 
step overlaps the pattern of the dBv-redex. Note that by 
Lemma B.3.1, if the <ss» is internal to L'(v), the proof is direct, 
since the dBv-redex is preserved. More precisely, if L'(v) 
L"(v'), we have: 



(c) Commutation with application =®. The axiom can be ap- 
plied only in one direction and there must be the same ex- 
plicit substitution [y-s-g] as topmost constructor of each of 
the two sides of the application. The diagram is: 



L(Xx.t')[x<-q\ L'(v)[y<-q] 



-O ti 



(L(Xx.t') L»)[y«-g] - - - --- - -o t 2 



where 



h ■■= L{t'[x<-L'{v)[y<-q]])[x<-q], 
t 2 :=L{lf[x<-L'{v)])[y<-q]. 

To prove the equivalence on the right, let L'{v)r z -\ x denote 
the result of replacing all occurrences of x by a fresh vari- 
able z in L'(v). The equivalence holds because: 

L(t"[y^L'{v)])[x^q\ 
=dn P L{t"[y*-L' (v}[ z ]J}[x<-q][z^q] 
=* com L{i [y^L' ' ( v )[z]J\[z^q])[x^q\ 
= H L(t"[y^L'(v) [z]x [z^q]])[x^q] 

L{t'[y<-L'(v)[x<-q]])[x<-q] 

(d) Commutation of independent substitutions = CO m- The com- 
mutation of substitutions must be in L, i.e. L must be 
of the form Li(L 2 [y^u'][z^w']) with z j. fv(u'). Let 
L := Li(L 2 [>«-M>'][2/«-it']). Then: 



L{Xx.t')L'{v) 



L{Xx.t')L'{v) 



-o L(t'[x^L'(v)]) 



-O L(t'[x<-L'(v)]) 



-o L(t'[x^L'(v)]) 



L{\x.t')L'(v) 



L(Xx.t')L"(v') o L(t'[x^L"(v')]) 

Consider the remaining possibilities for <ssk 

(a) Garbage collection = gc . The garbage collected substitution 
must be in L, i.e. L must be of the form Li(L 2 [y-t-L" (v')]) 
with y t fv(L 2 (Xx.t'}). Let L := Li(L 2 ). Then: 



L{Xx.t')L'{v) 



L(Xx.t')L'(v) 



-O L(t?[x<-L'(v)]) 



-O L{t'[x^L'(v)]) 



(b) Duplication =du P - The duplicated substitution must be in 
L, i.e. L must be of the form Li(L 2 [y^-u']). Let L := 
Li((-)[y<-u'][z<-w']).Then: 



L{Xx.t')L'(v) 



— dup — 

L((L 2 (Xx.t')) [z]y )L'(v) -o h 
where ti := L((L 2 (t'[x^L'(v)])) [z]y ). 



O L{t'[x<-L'(v)]) 

— dup 



(e) Composition of substitutions =rq. The composition of sub- 
stitutions must be in L, i.e. L must be of the form 
ii(L 2 [3/<-u'][«<-w']) with z f fv(L 2 {Xx.t')). Let L := 
Li(L 2 [j/<-w'[^<-w']]). As in the previous case: 



L(Xx.t')L'(v) 
=[•] 

L{Xx.t'}L'(v) 



-o L(t'[x^L'{v)]) 



■o L(t'[x<-L'(v)]) 



2. Base case 2: exponential root step t = V(x)[x<-L(v)] >-s-i s , 
u = L(V(v)[x<^v]). Consider first the case when the <ss— redex 
is internal to V(x). By Lemma B.3.2 we know <ss> preserves the 
shape of V(x), i.e. V(x) V(x). Then: 



V(x)[x<-L{v)] 



V(x)[x<-L(v)] 



-o L{V{v)[x<-v]) 



o L(V(v)[x<-v]) 



If the <ss— redex is internal to one of the substitutions in L, the 
proof is straightforward. Note that the <ss»-redex has always a 
substitution at the root. The remaining possibilities are such that 
substitution is in L, or that it is precisely [x<-L(v)]. Axiom by 
axiom: 



(a) Garbage collection = gc . If the garbage collected substitu- 
tion is in L, let L be L without such substitution. Then: 



V(x)[x<-L{v)] 



V(x)[x<-L{v)] 



-o L{V{v)[x<-v]) 



■o L(V(v)[x<-v]) 



The garbage collected substitution cannot be [x^L{v)], 
since this would imply x j. fv(V(x}), which is a contra- 
diction. 

(b) Duplication =du P - If the duplicated substitution is in L, then 
Lis oftheformLi(L 2 [>-t']).LetL = Li([y«-t'][>«-t']). 
Then: 



where 

ti :=L{(V{v)t')[x<-v]), 

ti ■■= L{V'{v)[x<-v])L{t'[x<-v]), 

t 3 ■= V'(x)[x<-L{v)]t'[x<-L{v)], 

U := L(V'(v)[x^v])t'[x^L(v)]. 

ii. The substitution acts on the right of the application, i.e. 
V = L'(v')V'. Similar to the previous case: 



(L'(v') V'(x))[x<-L(v)] 



-O h 



ti 



V{x)[x<-L{v)] 



-dup 



-O L{V{v)[x*-v]) 

= dup 



■ O <4 



-o 



ti 



where 



h := V{x)[x<-L{L 2[z]y (v [z]y ))], 
ti ■■= L(L 2[z]y (V(v [z]y )[x^v [z]y ])}. 

If the duplicated substitution is [x<-L(v)], there are two 
possibilities, depending on whether the occurrence of x 
substituted by the i->i sv step is replaced by the fresh variable 
y, or left untouched. If it is not replaced: 



V(x)[x<-L(v)] 



-o L(V{v)[x<-v]) 



-dup 



U 



— dup 

(Lemma B.4) 

- - O t 3 



where 



i((^»»[»].[H[H>. 

H(.V{v)) lu]t [x*-v][y^L{v)]), 
(V(x)) [y]x [x^L(v)][y^L(v)]. 



If the occurrence of x substituted by the h* 1sv step is re- 
placed by the fresh variable y, the situation is essentially 
analogous. 

(c) Commutation with application =@. The only possibility is 
that the substitution [x<-L(v)] is commuted with the outer- 
most application in V(x). Two cases: 
i. The substitution acts on the left of the application, i.e. 
V = V't'. 



(V'(x)t')[x^L(v)] 



-o ti 



t 3 



ti 



o t 4 



where 



ts 



= L{(L'{v')V{v))[x*-v]), 
= L(L'(v')[x<-v])L(V'(v)[x<-v]), 
= L'(v')[x<-L(v)]V'(x)[x<-L(v)], 
= L'(v')[x<-L(v)]L(V'(v)[x<-v]). 



(d) Commutation of independent substitutions = C om- If the 
commuted substitutions both belong to L, let L be the re- 
sult of commuting them, and the situation is exactly as for 
Garbage collection. 

The remaining possibility is that V = V'[y<-t'] and 
[x<-L(v)] commutes with [?/<-£'] (which implies x / 
fv(t'))- Then: 



V'{x)[y<-t][x<-L{v)] 



-o L(V'(v)[y<-t'][x<-v]) 



V'{x)[x<-L{v)][y<-t] - -o L{V{v)[x<-v])[y<-t] 

(e) Composition of substitutions =m. If the composed substi- 
tutions both belong to L, let L be the result of composing 
them, and the situation is exactly as for Garbage collection. 
The remaining possibility is that [x<-L(v)] is the outermost 
substitution composed by =[.]. This is not possible if the 
rule is applied from left to right, since it would imply that 
V(x) = V' (x)[y<-t'] with x £ V'(x), which is a contradic- 
tion. 

Finally, if the =[.] rule is applied from right to left, L is of 
the form L'[y<-t'] and: 



V(x)[x^L'(v)[y^t']] 



-O L'(V(v)[x<-v])[y<-tf] 



V(x)[x^L'(v)][y^t'] - - -o L'(V(x)[x^v])[y^t'] 

3. Inductive case 1: left of an application V = V'q. The situation 
is: 

t=V'(t')q^V'{u')q = u 

If the <ss> step is internal to V'(t'), the result follows by i.h.. 
The proof is also direct if <ss- is internal to q. The nontrivial 
case is when the <ss> step overlaps V'{t') and q. There are 
two possibilities. The first is trivial: = gc is used to introduce 
a substitution out of the blue, but this case clearly commutes 
with reduction. 



The second is that the application is commuted with a substitu- 
tion via the =<a rule (applied from right to left). There are two 
cases: 

(a) The substitution comes from t. That is, V = (■} and t 
has a substitution at its root. Then t' must be a i-^i sv -redex 
t' = V"{x)[x<-L{v)]. Moreover q = q'[x<-L{v)]. We 



have: 

V"(x)[x<-L(v)] q'[x<-L(v)] — — o U 

=& = 
t 2 o t 3 

where 



h := L(V"(v)[x<-v]}q'[x<-L(v}], 
t 2 :=(V"(x)q')[x^L(v)l 
t 3 :=L((V"(v)q')[x^v]). 

For the equivalence on the right note that: 

L(V"(v)[x<-v])q'[x<-L(v)] 
=*„ L(Vy)[x^v])L(q'[x^v]) 
=@ L(V" (v)[x<-v] q'[x<-v]) 

Sa L{(V"{v)q')[x^v]) 5. 

(b) The substitution comes from V'. That is: V' = V"[x*-w']. 
Moreover, q = q'[x<-w']. The proof is then straightforward: 



V"(t')[x<-w']q'[x<-w'] O ti 

=<a =& 
t 2 0 t 3 

where 



t\ := V"{u')[x*-w'] q'[x*-w'], 
t 2 :=(V"(t')q')[x^w'], 
h : = (V"{u) q')[xi-w']. 

4. Inductive case 2: right of an application V = L(v)V' . The 
situation is: 

t = L{v)V'{t')^L{v) V'{u') = u 

Reasoning as in the previous case (left of an application), if 
the <s>- step is internal to V'(t'), the result follows by i.h., 
and if it is internal to L{v), it is straightforward to close the 
diagram by resorting to the fact that = preserves the shape of 
L{v) (Lemma B. 3). 

The remaining possibility is that the <s> step overlaps both 
L(v) and V'(t'). As in the previous case, this can only be 
possible if = 9C introduces a substitution out of the blue, which 
is a trivial case, or because of a Commutation with application 
rule from right to left). This again leaves two possibilities: 
(a) The substitution comes from t'. That is, V' = {■) and t' 

is a i-^isv-redex t' = V" '(y)[y<-L' '(«')]. Moreover, L = 

L"[y<-L'{v')].Thsm 

L"(v)[y^L'(v')]V"(y)[y^L'(v')] — !=-o h 

=6 = 
. l«v 

ti Ot 3 



where 

ti := L"(v)[y^L'(v')]L'(V"(v')[y^v']), 
t 2 ■■= (L"{v)V"{y))[y^L'{v% 
t 3 := L'((L"(v)V"(v'))[y^v']). 

Exactly as in the previous case, for the equivalence on the 
right consider: 

L"(v)[y^L'(v')]L'(V"(v')[y^v']) 

L'(L"(v)[y^v'])L'(V"(v')[y^v']) 
4 L'{L"{v)[y^v']V"{v')[y^v']) 
SQ L'((L"(v)V"(v'))[y^v']) 

(b) The substitution comes from V' . That is, V' = V"[x*-w']. 
Moreover, L = L'[x<-w']. This case is then straightfor- 
ward: 

L'(v)[x<-w']V"(t')[x<-w'] o L'(v)[x<^w']V"(u')[x<^w'] 



(L'(v) V"{t'))[x<-w'] o (L'{v)V"{u'))[x<-w'] 

Inductive case 3: left of a substitution V = V'[x<-q]. The 
situation is: 

t = V'(t')[x<-q] — V'(u')[x<-q] = u 

If the <s* step is internal to V'{t'), the result follows by i.h.. 
If it is internal to q, the steps are orthogonal, which makes the 
diagram trivial. If the equivalence = gc introduces a substitution 
out of the blue the steps trivially commute. 
The remaining possibility is that the substitution [x^q] is in- 
volved in the <ss>- redex. By case analysis on the kind of the step 

(a) Garbage collection = gc . We know x / fv(V'(t')) and 
therefore also x $ iv(V'(u')). We get: 

V'(t')[x^q] O V'{u')[x<-q] 

= gc =gc 

V'(t') o V'(u) 

(b) Duplication =du P - The important fact is that if V'{t') — ° 
V'{u') and V'{t')[ y ] x denotes the result of renaming 
some (arbitrary) occurrences of x by y in V'(t'), then 
V{t')[ y ] x — ° V'(u')[ y ] x , where V'(u')[ y ^ x denotes there- 
suit of renaming some occurrences of x by y in V'(u). By 
this we conclude: 

V'(t')[x<-q] O V'{u')[x<-q] 

= dup = dup 

(V'(t')) [v]x [x^q][y^q] O (V'(u')) [y]x [x^q][y^q] 

(c) Commutation with application =@. V'(t') must be an appli- 
cation. This allows for three possibilities: 

i. The application comes from t . That is, V = (•) and 
t' is a i-^dBv-redex t' = L(\y.t") L'(v). The diagram 
is exactly as for the multiplicative base case lc (read 
bottom-up). 



ii. The application comes from V' , left case. That is, V' 
V" w'. This case is direct: 



(V"(t')w')[x^q] 



-O ti 



■ o t 3 



where 



ti ■= {V (u ) w 

ti ■= V"(t')[x<-q] w'[x<-q], 

t 3 ■= V"(u')[x<-q] w'[x<-q]. 

iii. The application comes from V' , right case. That is, 
V' = L(v) V" . Analogous to the previous case, 
(d) Commutation of independent substitutions = CO m- Since 
V'{t') must have a substitution at the root, there are two 
possibilities: 

i. The substitution comes from t'. That is, V = (■} and t' is 
a ^ lsv -redex t' = V" (y)[y^L(v)], with x { fv(L{v)). 
Then: 



B.4 Proof of Proposition 2.2 (= is a strong bisimulation) for 
call-by-need 

We need two preliminary lemmas, proved by straightforward in- 
ductions on N: 

Lemma B.5. Let t be a term, N be a call-by-need evaluation 
context not capturing any variable in fv(£), and x f fv(N(y)). 
Then N(t[x^-u]} = N{t)[x*-u]. 

Lemma B.6. The equivalence relation = as defined for call-by- 
need preserves the shape of N(x). More precisely, if N(x) = t, 
with x not captured by N, then t is of the form N'(x), with x not 
captured by N'. 

We follow the structure of the previous proofs of strong bisim- 
ulation, in particular the proof is by induction on Remember 
that for call-by-need the definition of the structural equivalence is 
different, it is the one given only by axioms =®i, = com , and =[.]. 



V"{y)[y^L{v)][x+-q] 



1. Base case 1: multiplicative root step t = L(\x.t')q u = 
L(t'[x<-q]). Every application of = inside q or inside one of 
the substitutions in L trivially commutes with the step. The 
interesting cases are those where structural equivalence has a 
critical pair with the step: 
O L(V" (v)[y^v])[x^q] (a) Commutation with left of an application = m . If L = 

L'[y^r] then 



V"{y)[x<-q][y<-L{v)] - -O L{V" {v)[x<-q][y<-v]) 

ii. The substitution comes from V' . That is, V' = 
V"[y*-w'] with x fv(w'). This case is direct: 



L'(\x.t')[y<-r]q 



-O L'{t'[x^q])[y^r] 



(L'(Xx.t')q)[y^r] 



-O L'{t'[x*-q])[y*-r] 



V"{t')[y<-w'][x<-q] 



-O V" (u'}[y<-w'][x^q] 



V" (t')[x<^q][y<^w'] - - - -o V" (u'}[x<-q][y^w'] 

(e) Composition of substitutions =[.]. As in the previous case, 
there are two possibilities: 
i. The substitution comes from t'. That is, V' = {■) and 
t' is a i-^ lsv -redex t' = V" (y)[y<-L(v)], with x / 
fv(V"(2/)).Then: 



-O L{V"{v)[y*-v])[x*-q] 



V"{y)[y^L(v)][x*-q] 



V"{v)[ y <-L{v)[x<-q\] - -O L{V"{v)[y<-v])[x<-q] 

ii. The substitution comes from V' . That is, V' = 
V"[y*-w'] with a- / fv(V"{t')). The proof for this case 
is direct: 

V"(t')[y<^w'][x<^q] o V"(u')[y<^w'][x<^q] 2. 

=[•] =[•] 



V"{t')[y<-w'[x<-q]] 



-O V" (u'}[y<-w'[x^q]] 



(b) Commutation of independent substitutions = com . The sub- 
stitutions that are commuted by the = com rule must be both 
in L, i.e. L must be of the form L'(L"[y<-w'][«<-r']) with 
z j fv(w'). Let L = L'(L"[>«V][y«-u/]). Then: 

L(Xx.t')u' dB -^3 L(t'[x^u']) 



L{\x.t')u' o L{t'[x<-u']) 

(c) Composition of substitutions =[.]. The substitutions that ap- 
pear in the left-hand side of the =m rule must both be in 
L, i.e. L must be of the form L' (L '[y<-w'][z<-r']) with 
z i fv{L"{\x.t')). Let L = L'{L"[y<-w'[z<-r']]). Ex- 
actly as in the previous case: 

L(Xx.t')u' dB -^2 L(t'[x^u']) 

=[•] =[•] 
L{\x.t')u - - - - -o L{t'[x<-u']) 

Base case 2: exponential root step t = N(x)[x<-L(v)] >-i. lBV 
U = L(N(v)[x<-v]). Consider first the case when the <ss-redex 
is internal to N(x). By Lemma B.6 we know <ss> preserves the 
shape of N(x), i.e. N(x) <ss^ N(x). Then: 



N{x)[x<-L{v)] 



-o L{N{v)[x<-v]) 



B.3 Proof of Proposition 2.2 (= is a strong bisimulation) for 
right-to-left call-by-value 

The proof is obtained as a minimal variation over the proof for 
left-to-right call-by-value (previous subsection), and is therefore 
omitted. 



N{x)[x<-L{v)] - T O L{N{v)[x<-v]) 

If the <ss»-redex is internal to one of the substitutions in L, the 
proof is straightforward. Note that the <ss— redex has always a 



substitution at the root. The remaining possibilities are that such 
substitution is in L, or that it is precisely [x^L(v)]. Axiom by 
axiom: 

(a) Commutation with the left of an application =m. The only 
possibility is that the substitution [x^L(v)] is commuted 
with the outermost application in N(x), i.e. N = N't' . The 
diagram is: 



t' = N"(x)[x<-L(v}]. We have: 
N"(x)[x<-L(v)] q o L(N"{v)[x<-v])t 



(N"(x)q)[x<-L(v)] — --oL{(N"(v)q)[x<-v]) 

(b) The substitution comes from TV'. That is: N' = N"[x<^w']. 
The proof is then straightforward: 



-O L{(N'{v)t')[x<-v]) 



(N'{x)t')[x<-L{v)] 



N'(x)[x^L(v)]t' -----o L{N'{v)[x^v])t' 

(b) Commutation of independent substitutions = CO m. Two sub- 
cases: 

i. The commuted substitutions both belong to L. Let L be 
the result of commuting them, and the diagram is: 



N"{t')[x^w']q 



N{x)[x<-L{v)] 



N{x)[x<-L{v)] 



-o L{N{v)[x<-v]) 



■o L(N{v)[x<-v]) 



ii. One of the commuted substitutions is [x^L{v)]. Then 
N = N'[y<-t'] and [x<-L(v)] commutes with [y^t 1 ] 
(which implies x / f v(i')). Then: 



N'{x)[y*-t][x*-L{v)] 



N'(x)[x^L(v)][y^t'] 



-O L{N'{v)[y<-t'][x<-v]) 



-o L(N'(v)[x<-v])[y<-tf] 



(c) Composition of substitutions =[.]. Two sub-cases: 

i. The composed substitutions both belong to L. Analo- 
gous to case 2(b)i. 

ii. One of the composed subtitutions is [x*-L(v)]. This 
is not possible if the rule is applied from left to right, 
since it would imply that N{x) = N' (x)[y*-t'~\ with 
x £ N'{x), which is a contradiction. 

Finally, if the =[.] rule is applied from right to left, L is 
of the form L'[y^t'] and: 



-O N"{u')[x<-w']q 



(N"(t')q)[x<-w'] O (N"{u')q)[x<~w'] 

Inductive case 2: left of a substitution TV = N'[x*-q]. The 
situation is: 

t = N'{t')[x<-q] — N'{u')[x<-q] = u 

If the <ss> step is internal to N'(t'), the result follows by i.h.. If 
it is internal to q, the steps are orthogonal, which makes the di- 
agram trivial. The remaining possibility is that the substitution 
is involved in the <ss>- redex. By case analysis on the kind 
of the step =b\ 

(a) Commutation with the left of an application =m- N'(t') 
must be an application. Two possibilities: 

i. The application comes from t'. That is, TV' = (•) and t' is 
a i-^ d B-redex t' = L(\y.t") r. This is exactly as the base 
case la (read bottom-up). 

ii. The application comes from N', i.e. N' = N" w'. This 
is exactly as the inductive case 3b (read bottom-up). 

(b) Commutation of independent substitutions = com . Since 
N'(t') must have a substitution at the root, there are two 
possibilities: 

i. The substitution comes from t'. That is, N' = (•) and t' is 
a i-^i S v-redex t' = N" (y)[y<-L(v)], with x / f v(L{v)). 
This case is exactly as the base exponential case 2(b)ii 
(read bottom-up). 

ii. The substitution comes from N'. That is, N' = 
N"[y*-w'] with x fv(w'). The diagram is: 



-O N"(u')[y<-w'][x<-q] 



-O L'(N(v)[x^v])[y^t'] 



N(x)[x^L'(v)[y^t']] 

=[•] 

N(x)[x<-L'(v)][y<-t'] - -o L'(N(x)[x<-v])[y<-t'] 

3. Inductive case 1: left of an application N = N'q. The situa- 
tion is: 

t = N'{t')q^> N'(u')q = u 

If the <ss> step is internal to N'(t'), the result follows by i.h.. 
The proof is also direct if <s*- is internal to q. The nontrivial 
cases are those where <ss> overlaps N'(t'} and q. The only 
possible case is that a substitution commutes with the topmost 
application via =(m (applied from right to left). There are two 
cases: 

(a) The substitution comes from t'. That is, N' = {■) and t' 
has a substitution at its root. Then t' must be a i-^i sv -redex 



N"(t')[y^w'][x^q] 



N"(t')[x^q][y^w'] - - - o N" (u')[x<-q][y<-w'] 

(c) Composition of substitutions =[.]. As in the previous case, 
there are two possibilities: 

i. The substitution comes from t'. That is, N' = (■) and 
t' is a i-^i sv -redex t' = N"(y)[y*-L{v)], with x 
fv(N"(y)). This case is exactly as the base exponential 
case 2(c)ii (read bottom-up). 

ii. The substitution comes from N'. That is, N' = 
N"[y<-w'] with x i ±v(N"(t')). The diagram is: 



-O N"(u')[y<-w'][x<-q] 



N"(t')[y^w'][x^q] 



=[•] =[•] 
N"(t')[y<-w'[x^q]] - - --o N"{u')[y<-w'[x<-q]] 

Inductive case 3: inside a hereditary head substitution TV = 

N'(x)[x<-N"]. The situation is: 

t = N'(x)[x<-N"(q)] - N'(x)[x^N"(q')] = u 



If is internal to N'(x) the two steps clearly commutes. If 
<s=s>- is internal to N" (q) we conclude using the i.h.. The remain- 
ing cases are when <ss» overlaps with the topmost constructor. 
Axiom by axiom: 

(a) Commutation with the left of an application =mi - It must be 
that N'(x) = N""(x}r with x i f v(r). Then the two steps 
simply commute: 



diagram is: 

N'(x)[x<-N""(y)[y<-L(v)]] — — O t\ 

lsv 

£ 2 0 t 3 



where 



(N""(x)r)[x<-N"(q)] 



N""{x)[x^-N"(q)]r 



-O (N""(x)r)[x^N"{q')] 



O Ar""<a;)[x < -iV"(g')]r 



(b) Commutation of independent substitutions = com - It must be 
that JV'(a;) = N""(x)[y*-r\ with x £ fv(r). Then the two 
steps simply commute: 



N""(x)[y<-r][x<-N"(q)] 



-o il 



*2 



o t 3 



where 



ti :=iV""(x)[j/^r][x^iV"( g ')], 

i 2 :=J\T>)[ a; «-JV , '<«>][v«-r] ) 

t 3 :=iV""( a; )[^iV"<g')][y^]- 

(c) Composition of substitutions =r.i. There are various sub- 
cases 

i. [x<-N" (q)] enters in a substitution. It must be that 
N'(x) = N!(y)[y^N 2 (x}] with x i fv(iVi(j/)). Then 
the diagram is: 



iV 1 (j/)[j/^iV 2 ( a; )][^iV"( g )] 
=[•] 

ti 



— O ti 



■ o i 3 



= JVi(»>[»^JV 2 (a;>][ a;< -JV"(g'>] ) 
= 7V 1 (y)[^iV 2 ( a; )[x^iV"{g)]], 

= iVi<y)[^JV 2 <z)[a^iV'V>]]- 



ii. a substitution pops out of[x<^N"{q)]. Two sub-cases: 
A. The substitution comes from N" . Then N" (q) = 
N""{q)[y*-r]. The diagram is: 



N'(x)[x<-N""(q)[y^r]] 



=[•] 
t 2 



-o ii 

=[•] 
■ O t 3 



where 



= N'(x)[x^N""(q')[y^r]], 
= N'(x)[x^N""(q)][y^r], 
= N'(x)[x^N""(q)][y^r]. 



B. The substitution comes from q. Then N" 



(2) 
(3) 
(4) 

and 



q is a i-^isv-redex t' = N""(y}[y*-L{v)] and the 



= N , {x)[x<-L{N""{v)[y<-v])], (5) 
= N'{x)[x^N""{y)][y^L{v)], (6) 
= L<7V'( 2 :)[^iV'"»][y^]}. (7) 



B.5 Proofs for the LAM 

Invariants, Lemma 6.3. By induction on the length of the execution 
leading to s, and straightforward inspection of the transition rules. 

□ □ 



Distillation, Theorem 6.4. 1. Commutative 1. We have tu | e 
7r -* C1 u | e | f it, e) :: 7T, and: 



to I e I 7T 



%(e(tu)) =@ Tr(e(t)e(u}) 



u | e | f (t, e) :: 7r 



As before, we use that 7r is a right-to-left call-by-value evalua- 
tion context, which enables us to use the =g> rule. 
2. Commutative 2. We have v | e | t(t, e) ■■ ty -^ C2 i \ e \ 

a(v, e) :: 7T, and: 



w | e | f (t, e') " 7T = Ei<L(t)<ik( v )) - t I e ' I a ( u ) e ) :: 7r 

3. Multiplicative. We have Xx.i \ e | a(c) :: tt ->- m i | [x<-c] :: 
e I 7T, and: 



Xx.t | e | a(c) :: 7r 



7r{e{Aa;.t)c) -^> m 7l(e(t[x<^c])) 



which is equal to t \ [x<-c] :: e | 7T. 

4. Exponential. Let e = e" :: [a;<-(t, e')] :: e'". We have x | e 
7r -s- e 1 1 e' 1 7T, and:: 



E_(e(x}} 



■K(e" (e (e" (t)[x+-t\))) =* gc n{e_ 



Note that by Lemma 6.3.3, t is an abstraction, and thus we are 
able to apply — ° e . Moreover, by Lemma 6.3.1, e binds variables 
to closures, and e_(t) is closed; this allows and to be 
garbage collected. For doing so, the = gc rule must be applied 
below a right-to-left call-by-value evaluation context, which 
follows from Lemma 6.3.4. 

Progress. Let s = t \ e \ tt be a commutative normal form s.t. 

s — ° u. If t is 

• an application uw. Then a -> C1 transition applies and s is not a 
commutative normal form, absurd. 

• an abstraction Xx.u. Then s = n(e(Xx.u)) is not in normal 
form. There can only be a -^ m -redex, so tt must be of the form 
7r((-)c). This implies there is a ->- m transition from s. □ 

• a variable x. Then s = 2l(§.( x )) is not m normal form. There 
can only be a -^> e -redex, and it must involve x, thus e = 
e"'(e"\x-t-e'(v)]). This implies there is a -»- e transition from 
s. 



B.6 Proofs for the MAM 

Proof. Let <ss> be the symmetric and contextual closure of the ~ 
rule by which = M am is defined. Note e ham is the reflexive-transitive 
closure of <ss-. It suffices to show that the property holds for 
i.e. that w -^—o u implies w -^>= M am u. The fact that <ss>* is a 
bisimulation then follows by induction on the number of <ss> steps. 

Let w ■<*=>■ t u. The proof of w — °— mam u goes by induction 
on the call-by-need context N under which the -^>-redex in t is 
contracted. Note that since tx ~ t 2 determines a bijection between 
the redexes of tx and t 2 , it suffices to check the cases when ~ is 
applied from left to right (i.e. t ~ w). For the right- to-left cases, all 
diagrams can be considered from bottom to top. 

• Base case, i.e. empty context TV = (■}. Two cases, depending 
on the — « step contracting a ^ dB or a >->-i B redex: 

1. Case t = L{Xx.t')u ^ dB L{t'[x<-u']). There are no ~ 
redexes in t, since any application in t must be either t 
itself or below Xx, which is not a call-by-name evaluation 
context. 

2. Case* = N(x)[x<-t'] N(t')[x<-t']. Any -redex must 
be internal to TV, in the sense that TV = N'{(N"u')[y<-w']} 
with y { fv(V). Let TV = N'(N"[y*-w']u'). Then: 

N(x)[x^t'] — ^— > N(t')[x^t'] 



N{x)[x<-t'] - - — -> N{t')[x^t'] 

• Inductive case TV = N'q. Since the application of <ss> must be 
internal to TV', the result follows directly by i.h.. 

• Inductive case TV = TV'[a;^g]. If the <s> step is internal to 
TV', the result follows again by applying i.h.. The remaining 
possibility is that N'(t) is an application. Here there are two 
cases: 

1. TV' = (-),i.e. ~ interacts with a redex. The redex in ques- 
tion must be a dB-redex, since it must have an application at 
the root. The situation is the following, with x / fv(u'): 

{L(Xy.t')u')[x^q] > L(t'[y^u'])[x^q] 



L{Xy.t')[x<-q]u' - -- > L(t'[y^u'])[x^q] 

2. TV' = N"t' , i.e. there is no interaction between ~ and a 
redex. This case is straightforward, since the contraction of 
the — o redex and the application of ~ are orthogonal. □ 

B.7 Proofs for the Split CEK 

Split CEK Distillation, Theorem 7.7. Properties of the decoding: 

1. Commutative 1. We have t u \ e \ tt \ D -> C1 t | e | (u, e) :: tt | 
D, and: 

iu\e\ir\D = D(ir(e(iu))) =* @ 
D(K(e(t)e(u))) 
t\e\(u,e)::n\D 

2. Commutative 2. We have v \ e \ (t, e') " 7T | D -^ C2 t \ e! \ e \ 
((v, e), 7r) :: D, and: 

v\e\(t,e') ::tt\D = D{n{e{v) l(t))) =* gc 

D{n(e{veL®))) 
t\e'\e\ (Q7,e),7r) :: D 



3. Multiplicative. We have v \ e \ e \ ((Xx.t,e'),ir) :: D -* m t \ 
[x^(v, e)] ::e'\ir\D, and: 

u|e|e|((Aa;.i,e'),ir)::£) = 
D(E(<i((Xx.t)e(v}))) 

1 1 [x^(v,e)] ::e'\ir\D 

4. Exponential. We have x | ei " [a;<-(tJ, e)] :: e 2 \ it \ D -* e v \ 
e 1 tt | D, and: 

x | ei :: [x^(v, e)] :: e 2 \ tt \ D = 

D(7L(§2(e(ei(v)[x^v])))) =* gc 

g(E(e(v)}) 

v | e | tt | D 

We use that e(v) is closed by Lemma 7.6.1 to ensure that ex, 
e2, and [x-t-v] can be garbage collected. 

Progress. Let s = t \ e \ tt be a commutative normal form s.t. 
s u. If t is 

• an application uw. Then a -> C1 transition applies and s is not a 
commutative normal form, absurd. 

• an abstraction v. The decoding s = 7 = ){7r{e{'u))) must have 
a multiplicative redex, because it must have a redex and v is 
not a variable. So v is applied to something, i.e. there must be 
at least one application node in D(i£). Moreover, the stack tt 
must be empty, otherwise there would be an administrative -^ C2 
transition, contradicting the hypothesis. So D is not empty. Let 
D = ((u, e), tt') :: D' . By point 3 of Lemma 7.6, u must be a 
value, and a transition applies. 

• a variable x. By point 1 of Lemma 7.6, x must be bound by e, 
so e = ei :: [x^(u, e')] :: and a transition applies. 

□ 

B.8 Proofs for the Merged WAM 

Distillation, Theorem 8.5. 1. Commutative 1. We have tu \ tt \ 
E -> C1 1 1 &(u) :: tt | E, and: 

tu | tt | E = E{Ti{tu)) = t | a(lt) :: tt \ E 

2. Commutative 2. We have x \ tt \ Ei :: \x*-T\ :: E2 -^ C2 i \ 
h(75i,:r) :: tt \ E 2 , and: 

x\tt\E 1 :: [x<~t] :: E 2 = fy{Ei{n{x))[x<r-t]) = 

t\h(E 1 ,x) ::tt\E 2 

3. Multiplicative. We have Xx.t \ a(u) :: TT I E —>rn t \ TT | 
[a;^-M] :: E, and: 

Xx.t I a(u) :: tt\ E = E(n((Xx.i)u)) ^> m 

E(TT(t[x^-u])) =Lem. 2.4 

E(TT(t)[x^u]) 

t I 7T I [x^-u] :: E 

4. Exponential. We have v \ h(Ei,x) :: tt \ E 2 -+ e v a \ tt \ E\ :: 
[x<r-v\ :: E 2 , and: 

vjhjE^x) ::tt\E 2 = E^Ei^x^ix^-v]) - e 
^{E^ti{v))[x^v}) 
E^iEhiniv^x^v]) 
v a j tt I Ex :: [x^v] :: E 2 

Progress. Let s = t \ tt \ E be a commutative normal form s.t. 
s — ° u. If t is 



1. an application uw. Then a -> C1 transition applies and s is not a 
commutative normal form, absurd. 

2. an abstraction v. The decoding s is of the form E(tt(v)). The 
stack tt cannot be empty, since then s = E_{v) would be normal. 
So either the a -* e or a -* m transition applies. 

3. a variable x. By the global closure invariant, x is bound by 
E. Then a -^ C2 transition applies and s is not a commutative 
normal form, absurd. □ 

B.9 Proofs for the Pointing WAM 

Pointing WAM Invariants, Lemma 9.3. By induction on the length 
of the execution. Points 1 and 2 are by direct inspection of the rules. 
Assuming ElD, point 4 is immediate by induction on the length 
ofD. 

Thus we are only left to check point 3. We use point 2, i.e. that 
substitutions in E bind pairwise distinct variables. Following we 
show that transitions preserve the invariant: 

1. Conmutative 1. We have: 

Iu\tt\D\E -> c1 t\u::n\D\E 

Trivial, since the dump and the environment are the same and 
(u " Tr)(t) = 7v(t u). 

2. Conmutative 2. We have s -^ C2 s' with: 

s = x | tt | D | Ei [x*-i] E 2 

S = t | e | (x, 7T) :: D I Ei :: [><-□] :: E 2 

Note that since by i.h. (n(x), (Ei :: [x-t-i] :: E 2 ) 1 ) is closed 
and x is free in tt(x), there cannot be any dumped substitutions 
in E 2 . Then (Ei :: [x<-t] :: E 2 ) \= Ei\v. [x<-t] :: E 2 and we 
know: 

(7r(x), Ei 1 :: :: E 2 ) is closed (8) 

For 3a, note (Ei :: [£<-□] :: E 2 ) \ = E 2 . Then we must show 
(i, £2) is closed, which is implied by (8). 

For 3b, there are two cases: 

• If the pair is (x, tt), we must show 

(tt(x), (Ei :: [x^n] E 2 ) 1 x ) is closed, i.e. 

(n( x ), Ei 1 :: [«<-□] :: E 2 ) is closed 
which is implied by (8). 

• If the pair is (y, tt') in D, with y t x, note first that 

(Ei :: [x+-i] :: E 2 )\ y = Ei\ y v. [x<-t] :: £ 2 

And similarly for (£1 :: [#<-□] :: E 2 )] y . Moreover, by the 
invariant on s we know 

(]£_(y),Ei 1 y " [x-t-i] :: E 2 ) is closed 
and this implies 

(lL.(y),Ei 1 y " [x<-n] :■■ E 2 ) is closed 
as required. 

For 3c, we have already observed that E 2 has no dumped 
substitutions. Then [£<-□] is the rightmost dumped substitution 
in the environment of s', while (x,tt) is the leftmost pair in the 
dump. We conclude by the fact that the invariant already holds 
for s. 

3. Multiplicative, empty dump. We have s s with: 

s = \x.t I u :: tt I e I E 

s' = i I 7r I e I [a:<-w] :: E 
First note that, since the environment and the dump are dual in 
s, there are no dumped substitutions in E. 



For point 3a, we know that: 

(n{(Xx.t)u),E) is closed (9) 

and we have to check: 

(n(t), [x-t-u] :: E) is closed 

Let y € fv(7r(t>). Then either y = x, which is bound by [x<-m], 
or y e f v(ji(Xx.t)), in which case y is bound by E. Moreover, 
since tt is an application context, by (9) we get (u, E) is closed. 

Points 3b and 3c are trivial since the dump is empty and the 
environment has no dumped substitutions. 

4. Multiplicative, non-empty dump. We have s s with: 

s = Xx.t I u " TT I (y, tt') :: D \ Ei :: [y*-n] " E 2 

8 = t I 7T I (y, tt') ::D\Ei :: [><-□] :: " S 2 

Note first that since the invariant holds for s, we know [?/<-□] 
is the rightmost dumped substitution in the environment of both 
s and s'. Therefore (Si :: [y<-n] :: E 2 ) ] = E 2 

For proving point 3a, we have: 

(jT((Xx.t) u),E 2 ) is closed 

and we must show: 

(jrit), [x^-u] :: E 2 ) is closed 

The situation is exactly as in point 3a for the transition, 
empty dump case. 

For point 3b, let (z, tt") be any pair in (y, tt') :: D. Let also 

E[:={ El] ify = Z 
\Ei] z otherwise 

and note that (Ei :: [?/<-□] :: E) 1 y = E[ :: [y-s-Cl] :: E for any 
environment E that contains no dumped substitutions. By the 
invariant on s, we have that: 

(tt"(z),Ei :: [y^n] :: E 2 ) is closed 

Moreover, from point 3a we know (u, E 2 ) is closed. Both im- 
ply: 

(tt (z),Ei :: [j/<-n] :: [x<-w] :: E 2 ) is closed 
as required. 

For point 3c, just note that the substitution [x<-it] added to 
the environment is not dumped, and so duality holds because 
it holds for s by i.h.. 

5. Exponential. We have s s' with: 

s = v\e\(x,Tr)::D\E 1 :: [>«-□] " E 2 

S = V a I 7T I D I Ei :: [x<-v] E 2 

First note that since the environment and the dump are dual in 
s, we know E 2 has no dumped substitutions. 

For proving point 3a, by resorting to point 3a on the state s, for 
which the invariant already holds, we have that: 

(v, E 2 ) is closed (10) 

Moreover, by point 3b on s, specialized on the pair (x, tt), we 
also know: 

(n(x),EiY.: [><-□] :: E 2 ) is closed (11) 
We must check that: 

(E^™)^! 1 :: [x*-v] E 2 ) is closed 



Any free variable in jr{t) a ) is either free in n, in which case 
by (10) it must be bound by E\ ] ■■ [x-s-n] :: Ei, or free in v, 
in which case by (10) it must be bound by E2. In both cases it 
is bound by E\ \:: [a;<-v] :: E2, as required. To conclude the 
proof of point 3a, note that by combining (10) and (1 1) we get 
Ei 1 :: [a;<-u] :: E2 is closed. 

For proving point 3b, let (y, it') be a pair in D. Using that 
x * y, by the invariant on s we know: 

(lL.(y}, Ei 1 y " [x-t-n] ■■■■ E2) is closed 

and this implies: 

(7/(2/), E\ 1 y " [x-t-v] ■■■■ E2) is closed 

as wanted. 

Point 3c is immediate, given that the environment and the dump 
are already dual in s. 



B.10 Proofs for Distillation is Complexity Preserving 

Theorem 10.3. 1. LAM. As for the CEK, using the corresponding 
subterm invariant and the following measure: 



2. Split CEK. As for the CEK, using the corresponding subterm 
invariant and the following measure: 



□ 





□ 



